[Buildroot] [PATCH 00/10] Introduce CPE ID matching for CVEs

[Buildroot] [PATCH 00/10] Introduce CPE ID matching for CVEs

[Thomas Petazzoni]

Hello,

This is another iteration of the work started by Matt Weber on CPE ID
matching, and then improved by Gr?gory Clement. In this series, I have
limited further the scope of the work compared to what Matt and
Gr?gory have posted, with the idea that the remainder will be handled
in follow-up patch series.

This series limits itself to:

 - Allowing packages to provide their CPE ID information.
 - Improving the logic used to match CVEs against packages to make use
   of this CPE ID information.

Details of the series:

 - PATCH 1 and PATCH 2 are relatively minor preparation patches.

 - PATCH 3 adds the bits of generic-package infrastructure that allows
   packages to provide their CPE ID information. Read the commit log
   carefully to understand the choices that were made. PATCH 4 adds
   the documentation for those new variables.

 - PATCH 5 exposes the CPE ID information of each package in the "make
   show-info" output.

 - PATCH 6 adds test cases to verify that the CPE ID variables and the
   make show-info JSON output for CPE ID information are correctly
   handled.

 - PATCH 7 and 8 respectively adapt the cve-checker and pkg-stats
   scripts so that they display the CPE ID of each package, when
   available. At this point, the CPE ID is only displayed in a new
   column.

 - PATCH 9 is where the CVE matching logic gets improved to use the
   CPE ID information when available for a package.

 - PATCH 10 adds CPE ID information to over a hundred packages.

Overall, the scope of this series is therefore much more focused, and
hopefully more manageable to review.

Best regards,

Thomas

Gregory CLEMENT (2):
  support/scripts/cve-checker: show CPE ID in results
  support/script/pkg-stats: show CPE ID in results

Matt Weber (2):
  package/pkg-generic.mk: add CPE ID related package variables
  package: provide CPE ID details for numerous packages

Thomas Petazzoni (6):
  support/scripts/cve.py: properly match CPEs with version '*'
  support/scripts/cve-checker: parse arguments earlier
  docs/manual: document <pkg>_CPE_ID variables
  package/pkg-utils.mk: expose CPE ID in show-info when available
  support/testing/tests/core/test_cpeid: new test
  support/scripts/{pkg-stats,cve.py,cve-checker}: support CPE ID based
    matching

 boot/grub2/grub2.mk                           |   1 +
 boot/uboot/uboot.mk                           |   2 +
 docs/manual/adding-packages-generic.txt       |  39 +++++++
 linux/linux.mk                                |   2 +
 package/audit/audit.mk                        |   2 +
 package/aufs/aufs.mk                          |   1 +
 package/bash/bash.mk                          |   1 +
 package/bc/bc.mk                              |   1 +
 package/bind/bind.mk                          |   1 +
 package/boost/boost.mk                        |   1 +
 package/bridge-utils/bridge-utils.mk          |   1 +
 package/busybox/busybox.mk                    |   1 +
 package/bzip2/bzip2.mk                        |   1 +
 package/clang/clang.mk                        |   1 +
 package/collectd/collectd.mk                  |   1 +
 package/conntrack-tools/conntrack-tools.mk    |   1 +
 package/coreutils/coreutils.mk                |   1 +
 package/crda/crda.mk                          |   1 +
 package/davici/davici.mk                      |   1 +
 package/dbus-glib/dbus-glib.mk                |   1 +
 package/dbus/dbus.mk                          |   2 +
 package/dhcp/dhcp.mk                          |   1 +
 package/dnsmasq/dnsmasq.mk                    |   1 +
 package/dropbear/dropbear.mk                  |   2 +
 package/ebtables/ebtables.mk                  |   1 +
 package/ethtool/ethtool.mk                    |   1 +
 package/expat/expat.mk                        |   1 +
 package/gdb/gdb.mk                            |   1 +
 package/gesftpserver/gesftpserver.mk          |   2 +
 package/glibc/glibc.mk                        |   1 +
 package/gmp/gmp.mk                            |   1 +
 package/gnupg/gnupg.mk                        |   1 +
 package/gnutls/gnutls.mk                      |   1 +
 package/grep/grep.mk                          |   1 +
 package/gtest/gtest.mk                        |   2 +
 package/gzip/gzip.mk                          |   1 +
 package/hostapd/hostapd.mk                    |   1 +
 package/ifupdown/ifupdown.mk                  |   1 +
 package/iperf/iperf.mk                        |   2 +
 package/iperf3/iperf3.mk                      |   1 +
 package/ipset/ipset.mk                        |   1 +
 package/iptables/iptables.mk                  |   1 +
 package/iw/iw.mk                              |   1 +
 package/kmod/kmod.mk                          |   2 +
 package/libarchive/libarchive.mk              |   1 +
 package/libcurl/libcurl.mk                    |   2 +
 package/libestr/libestr.mk                    |   1 +
 package/libfastjson/libfastjson.mk            |   1 +
 package/libfcgi/libfcgi.mk                    |   2 +
 package/libffi/libffi.mk                      |   2 +
 package/libgcrypt/libgcrypt.mk                |   1 +
 package/libglib2/libglib2.mk                  |   2 +
 package/libgpg-error/libgpg-error.mk          |   1 +
 package/liblogging/liblogging.mk              |   1 +
 package/libmbim/libmbim.mk                    |   1 +
 package/libmnl/libmnl.mk                      |   1 +
 .../libnetfilter_conntrack.mk                 |   1 +
 .../libnetfilter_cthelper.mk                  |   1 +
 .../libnetfilter_cttimeout.mk                 |   1 +
 .../libnetfilter_queue/libnetfilter_queue.mk  |   1 +
 package/libnfnetlink/libnfnetlink.mk          |   1 +
 package/libopenssl/Config.in                  |  11 ++
 package/libopenssl/libopenssl.mk              |   2 +
 package/libpcap/libpcap.mk                    |   1 +
 package/libselinux/libselinux.mk              |   1 +
 package/libsemanage/libsemanage.mk            |   1 +
 package/libsepol/libsepol.mk                  |   1 +
 package/libssh2/libssh2.mk                    |   1 +
 package/libsysfs/libsysfs.mk                  |   2 +
 package/libtasn1/libtasn1.mk                  |   1 +
 package/libunistring/libunistring.mk          |   1 +
 package/libxml2/libxml2.mk                    |   1 +
 package/libxslt/libxslt.mk                    |   1 +
 package/libzlib/libzlib.mk                    |   2 +
 package/lighttpd/lighttpd.mk                  |   1 +
 package/linux-firmware/linux-firmware.mk      |   2 +
 package/linux-headers/linux-headers.mk        |   2 +
 package/linux-pam/linux-pam.mk                |   2 +
 package/llvm/llvm.mk                          |   1 +
 package/lxc/lxc.mk                            |   1 +
 package/lz4/lz4.mk                            |   1 +
 package/memtester/memtester.mk                |   1 +
 package/mii-diag/mii-diag.mk                  |   1 +
 package/mpfr/mpfr.mk                          |   1 +
 package/mrouted/mrouted.mk                    |   1 +
 package/mtd/mtd.mk                            |   2 +
 package/ncurses/ncurses.mk                    |   1 +
 package/netsnmp/netsnmp.mk                    |   2 +
 package/nfs-utils/nfs-utils.mk                |   2 +
 package/openssh/openssh.mk                    |   3 +
 package/pax-utils/pax-utils.mk                |   1 +
 package/paxtest/paxtest.mk                    |   1 +
 package/pcre/pcre.mk                          |   1 +
 package/pixman/pixman.mk                      |   1 +
 package/pkg-generic.mk                        |  70 +++++++++++
 package/pkg-utils.mk                          |   3 +
 package/policycoreutils/policycoreutils.mk    |   1 +
 package/pppd/pppd.mk                          |   2 +
 package/proftpd/proftpd.mk                    |   1 +
 package/protobuf/protobuf.mk                  |   1 +
 package/pure-ftpd/pure-ftpd.mk                |   1 +
 package/python-lxml/python-lxml.mk            |   2 +
 .../python-setuptools/python-setuptools.mk    |   2 +
 package/python/python.mk                      |   1 +
 package/qemu/qemu.mk                          |   1 +
 package/rapidjson/rapidjson.mk                |   1 +
 package/readline/readline.mk                  |   1 +
 package/refpolicy/refpolicy.mk                |   1 +
 package/rsyslog/rsyslog.mk                    |   1 +
 package/rt-tests/rt-tests.mk                  |   1 +
 package/sed/sed.mk                            |   1 +
 package/setools/setools.mk                    |   1 +
 package/setserial/setserial.mk                |   1 +
 package/smcroute/smcroute.mk                  |   1 +
 package/spawn-fcgi/spawn-fcgi.mk              |   1 +
 package/sqlite/sqlite.mk                      |   2 +
 package/strongswan/strongswan.mk              |   1 +
 package/tar/tar.mk                            |   1 +
 package/tcl/tcl.mk                            |   1 +
 package/tcpdump/tcpdump.mk                    |   1 +
 package/tftpd/tftpd.mk                        |   2 +
 package/uboot-tools/uboot-tools.mk            |   2 +
 package/util-linux/util-linux.mk              |   1 +
 package/valgrind/valgrind.mk                  |   1 +
 package/vim/vim.mk                            |   1 +
 package/wget/wget.mk                          |   1 +
 package/wireless-regdb/wireless-regdb.mk      |   1 +
 package/wireless_tools/wireless_tools.mk      |   2 +
 package/wpa_supplicant/wpa_supplicant.mk      |   1 +
 package/xerces/xerces.mk                      |   2 +
 package/xz/xz.mk                              |   1 +
 support/scripts/cve-checker                   |  48 ++++++--
 support/scripts/cve.py                        |  50 +++++---
 support/scripts/pkg-stats                     |  69 +++++++++--
 .../tests/core/cpeid-br2-external/Config.in   |   0
 .../core/cpeid-br2-external/external.desc     |   1 +
 .../tests/core/cpeid-br2-external/external.mk |   1 +
 .../package/cpe-id-pkg1/cpe-id-pkg1.mk        |   4 +
 .../package/cpe-id-pkg2/cpe-id-pkg2.mk        |   3 +
 .../package/cpe-id-pkg3/cpe-id-pkg3.mk        |   5 +
 .../package/cpe-id-pkg4/cpe-id-pkg4.mk        |   9 ++
 .../package/cpe-id-pkg5/cpe-id-pkg5.mk        |  16 +++
 support/testing/tests/core/test_cpeid.py      | 109 ++++++++++++++++++
 143 files changed, 564 insertions(+), 33 deletions(-)
 create mode 100644 support/testing/tests/core/cpeid-br2-external/Config.in
 create mode 100644 support/testing/tests/core/cpeid-br2-external/external.desc
 create mode 100644 support/testing/tests/core/cpeid-br2-external/external.mk
 create mode 100644 support/testing/tests/core/cpeid-br2-external/package/cpe-id-pkg1/cpe-id-pkg1.mk
 create mode 100644 support/testing/tests/core/cpeid-br2-external/package/cpe-id-pkg2/cpe-id-pkg2.mk
 create mode 100644 support/testing/tests/core/cpeid-br2-external/package/cpe-id-pkg3/cpe-id-pkg3.mk
 create mode 100644 support/testing/tests/core/cpeid-br2-external/package/cpe-id-pkg4/cpe-id-pkg4.mk
 create mode 100644 support/testing/tests/core/cpeid-br2-external/package/cpe-id-pkg5/cpe-id-pkg5.mk
 create mode 100644 support/testing/tests/core/test_cpeid.py

-- 
2.26.2

[Buildroot] [PATCH 01/10] support/scripts/cve.py: properly match CPEs with version '*'

[Thomas Petazzoni]

Currently, when the version encoded in a CPE is '-', we assume all
versions are affected, but when it's '*' with no further range
information, we assume no version is affected.

This doesn't make sense, so instead, we handle '*' and '-' in the same
way. If there's no version information available in the CVE CPE ID, we
assume all versions are affected.

This increases quite a bit the number of CVEs and package affected:

-    "total-cves": 302,
-    "pkg-cves": 100,
+    "total-cves": 597,
+    "pkg-cves": 135,

For example, CVE-2007-4476 has a CPE ID of:

    cpe:2.3:a:gnu:tar:*:*:*:*:*:*:*:*

So it should be taken into account. In this specific case, it is
combined with an AND with CPE ID
cpe:2.3:o:suse:suse_linux:10:*:enterprise_server:*:*:*:*:* but since
we don't support this kind of matching, we'd better be on the safe
side, and report this CVE as affecting tar, do an analysis of the CVE
impact, and document it in TAR_IGNORE_CVES.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 support/scripts/cve.py | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/support/scripts/cve.py b/support/scripts/cve.py
index 6396019e0e..e7472cd470 100755
--- a/support/scripts/cve.py
+++ b/support/scripts/cve.py
@@ -144,10 +144,6 @@ class CVE:
                 # Version is defined, this is a '=' match
                 op_start = '='
                 v_start = version
-            elif version == '-':
-                # no version information is available
-                op_start = '='
-                v_start = version
             else:
                 # Parse start version, end version and operators
                 if 'versionStartIncluding' in cpe:
@@ -206,11 +202,8 @@ class CVE:
         for cpe in self.each_cpe():
             if cpe['product'] != name:
                 continue
-            if cpe['v_start'] == '-':
-                return self.CVE_AFFECTS
             if not cpe['v_start'] and not cpe['v_end']:
-                print("No CVE affected version")
-                continue
+                return self.CVE_AFFECTS
             if not pkg_version:
                 continue
 
-- 
2.26.2

[Buildroot] [PATCH 01/10] support/scripts/cve.py: properly match CPEs with version '*'

[Matthew Weber]

Thomas,


On Wed, Nov 4, 2020 at 8:53 AM Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
>
> Currently, when the version encoded in a CPE is '-', we assume all
> versions are affected, but when it's '*' with no further range
> information, we assume no version is affected.
>
> This doesn't make sense, so instead, we handle '*' and '-' in the same
> way. If there's no version information available in the CVE CPE ID, we
> assume all versions are affected.
>
> This increases quite a bit the number of CVEs and package affected:
>
> -    "total-cves": 302,
> -    "pkg-cves": 100,
> +    "total-cves": 597,
> +    "pkg-cves": 135,
>
> For example, CVE-2007-4476 has a CPE ID of:
>
>     cpe:2.3:a:gnu:tar:*:*:*:*:*:*:*:*
>
> So it should be taken into account. In this specific case, it is
> combined with an AND with CPE ID
> cpe:2.3:o:suse:suse_linux:10:*:enterprise_server:*:*:*:*:* but since
> we don't support this kind of matching, we'd better be on the safe
> side, and report this CVE as affecting tar, do an analysis of the CVE
> impact, and document it in TAR_IGNORE_CVES.


I agree, it is better to over-report and give people the option of
setting the ignore entry or to go work with the CPE dictionary team to
make an update to how that CVE is being mapped to the CPE.

I was interested to know if yocto has an existing listing of CVE they
are ignoring as well.  I looked a bit at the cve-checker[2] but I
couldn't find any existing list or metadata within yocto but instead a
few forked tools that all allow you to create a Software Bill Of
Materials (SBOM) and provide a list of overall excluded CVE [1].  It
seems better to keep the initial refinement within Buildroot or to
push instead for making a correction in the actual CVE mapping.  If
the user wants to whitelist it outside of Buildroot for their specific
use case, that could be a topic for a future patchset on creation of a
Software Bill Of Materials matching/tailored for their defconfig.
Thoughts?

Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>


[1] https://github.com/LairdCP/cve-checker/blob/master/cli.py
[2] https://hub.mender.io/t/how-to-run-cve-checks-using-the-yocto-project/1142

[Buildroot] [PATCH 01/10] support/scripts/cve.py: properly match CPEs with version '*'

[Thomas Petazzoni]

Hello,

On Wed, 4 Nov 2020 10:45:32 -0600
Matthew Weber <matthew.weber@collins.com> wrote:

> > So it should be taken into account. In this specific case, it is
> > combined with an AND with CPE ID
> > cpe:2.3:o:suse:suse_linux:10:*:enterprise_server:*:*:*:*:* but since
> > we don't support this kind of matching, we'd better be on the safe
> > side, and report this CVE as affecting tar, do an analysis of the CVE
> > impact, and document it in TAR_IGNORE_CVES.  
> 
> I agree, it is better to over-report and give people the option of
> setting the ignore entry or to go work with the CPE dictionary team to
> make an update to how that CVE is being mapped to the CPE.

That is the idea. And among the new CVEs that appear, there are really
some CVEs where the NVD database just specify "*", without any
combination with a particular operating system or distribution: i.e the
CVE description is so imprecise that it doesn't even say which versions
of the software component are affected.

> I was interested to know if yocto has an existing listing of CVE they
> are ignoring as well.  I looked a bit at the cve-checker[2] but I
> couldn't find any existing list or metadata within yocto but instead a
> few forked tools that all allow you to create a Software Bill Of
> Materials (SBOM) and provide a list of overall excluded CVE [1].  It
> seems better to keep the initial refinement within Buildroot or to
> push instead for making a correction in the actual CVE mapping.  If
> the user wants to whitelist it outside of Buildroot for their specific
> use case, that could be a topic for a future patchset on creation of a
> Software Bill Of Materials matching/tailored for their defconfig.
> Thoughts?

Yes, we could certainly think of allowing the user to extend the list
of ignored CVEs. I haven't tried doing <pkg>_IGNORE_CVES +=
CVE-YYYY-XYZ in external.mk from an external tree. I don't know if it's
going to play well with the expansion ordering, though.

> Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>

Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 01/10] support/scripts/cve.py: properly match CPEs with version '*'

[Thomas Petazzoni]

On Wed,  4 Nov 2020 15:51:35 +0100
Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote:

> Currently, when the version encoded in a CPE is '-', we assume all
> versions are affected, but when it's '*' with no further range
> information, we assume no version is affected.
> 
> This doesn't make sense, so instead, we handle '*' and '-' in the same
> way. If there's no version information available in the CVE CPE ID, we
> assume all versions are affected.
> 
> This increases quite a bit the number of CVEs and package affected:
> 
> -    "total-cves": 302,
> -    "pkg-cves": 100,
> +    "total-cves": 597,
> +    "pkg-cves": 135,
> 
> For example, CVE-2007-4476 has a CPE ID of:
> 
>     cpe:2.3:a:gnu:tar:*:*:*:*:*:*:*:*
> 
> So it should be taken into account. In this specific case, it is
> combined with an AND with CPE ID
> cpe:2.3:o:suse:suse_linux:10:*:enterprise_server:*:*:*:*:* but since
> we don't support this kind of matching, we'd better be on the safe
> side, and report this CVE as affecting tar, do an analysis of the CVE
> impact, and document it in TAR_IGNORE_CVES.
> 
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> ---
>  support/scripts/cve.py | 9 +--------
>  1 file changed, 1 insertion(+), 8 deletions(-)

Since Matt gave his Reviewed-by, and it's a fairly simple patch
touching just pkg-stats/CVE, I've applied to next. Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 02/10] support/scripts/cve-checker: parse arguments earlier

[Thomas Petazzoni]

This allows to have --help working, and the argument error checking
before we read from stdin, and potentially block if we get nothing on
stdin.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 support/scripts/cve-checker | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/support/scripts/cve-checker b/support/scripts/cve-checker
index 998ea5b8af..ff110fc17c 100755
--- a/support/scripts/cve-checker
+++ b/support/scripts/cve-checker
@@ -172,6 +172,8 @@ def parse_args():
 
 
 def __main__():
+    args = parse_args()
+
     packages = list()
     content = json.load(sys.stdin)
     for item in content:
@@ -179,7 +181,6 @@ def __main__():
         p = Package(item, pkg.get('version', ''), pkg.get('ignore_cves', ''))
         packages.append(p)
 
-    args = parse_args()
     date = datetime.datetime.utcnow()
 
     print("Checking packages CVEs")
-- 
2.26.2

[Buildroot] [PATCH 02/10] support/scripts/cve-checker: parse arguments earlier

[Thomas Petazzoni]

On Wed,  4 Nov 2020 15:51:36 +0100
Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote:

> This allows to have --help working, and the argument error checking
> before we read from stdin, and potentially block if we get nothing on
> stdin.
> 
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

cve-checker has been dropped from Buildroot now, so this patch no
longer makes sense. I've marked it as Not Applicable in patchwork.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 03/10] package/pkg-generic.mk: add CPE ID related package variables

[Thomas Petazzoni]

From: Matt Weber <matthew.weber@rockwellcollins.com>

Currently, the match between Buildroot packages and CVEs is solely
based on the package names. Unfortunately, as one can imagine, there
isn't necessarily a strict mapping between Buildroot package names,
and how software projects are referenced in the National Vulnerability
Database (NVD) which we use.

The NVD has defined the concept of CPE (Common Platform Enumeration)
identifiers, which uniquely identifies software components based on
string looking like this:

  cpe:2.3:a:netsurf-browser:libnsbmp:0.1.2:*:*:*:*:*:*:*

In particular, this CPE identifier contains a vendor name (here
"netsurf-browser"), a product name (here "libnsbmp") and a version
(here "0.1.2").

This patch series introduces the concept of CPE ID in Buildroot, where
each package can be associated to a CPE ID. A package can define one
or several of:

 - <pkg>_CPE_ID_VENDOR
 - <pkg>_CPE_ID_PRODUCT
 - <pkg>_CPE_ID_VERSION
 - <pkg>_CPE_ID_VERSION_MINOR
 - <pkg>_CPE_ID_PREFIX

If one or several of those variables are defined, then the
<pkg>_CPE_ID will be defined by the generic package infrastructure as
follows:

  $(2)_CPE_ID = $$($(2)_CPE_ID_PREFIX):$$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION):$$($(2)_CPE_ID_VERSION_MINOR):*:*:*:*:*:*

<pkg>_CPE_ID_* variables that are not explicitly specified by the
package will carry a default value defined by the generic package
infrastructure.

If a package is happy with the default <pkg>_CPE_ID, and therefore
does not need to define any of <pkg>_CPE_ID_{VENDOR,PRODUCT,...}, it
can set <pkg>_CPE_ID_VALID = YES.

If any of the <pkg>_CPE_ID_{VENDOR,PRODUCT,...} variables are defined
by the package, then <pkg>_CPE_ID_VALID = YES will be set by the
generic package infrastructure.

Then, it's only if <pkg>_CPE_ID_VALID = YES that a <pkg>_CPE_ID will
be defined. Indeed, we want to be able to distinguish packages for
which the CPE ID information has been checked and is considered valid,
from packages for which the CPE ID information has never been
verified. For thise reason, we cannot simply define a default value
for <pkg>_CPE_ID.

The <pkg>_CPE_ID_* values for the host package are inherited from the
same variables of the corresponding target package, as we normally do
for most package variables.

Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 package/pkg-generic.mk | 70 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 70 insertions(+)

diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk
index 54de03da03..621fb91424 100644
--- a/package/pkg-generic.mk
+++ b/package/pkg-generic.mk
@@ -608,6 +608,76 @@ $(2)_REDISTRIBUTE		?= YES
 
 $(2)_REDIST_SOURCES_DIR = $$(REDIST_SOURCES_DIR_$$(call UPPERCASE,$(4)))/$$($(2)_BASENAME_RAW)
 
+# If any of the <pkg>_CPE_ID_* variables are set, we assume the CPE ID
+# information is valid for this package.
+ifneq ($$($(2)_CPE_ID_VENDOR)$$($(2)_CPE_ID_NAME)$$($(2)_CPE_ID_VERSION)$$($(2)_CPE_ID_VERSION_MINOR)$$($(2)_CPE_ID_PREFIX),)
+$(2)_CPE_ID_VALID = YES
+endif
+
+# When we're a host package, make sure to use the variables of the
+# corresponding target package, if any.
+ifneq ($$($(3)_CPE_ID_VENDOR)$$($(3)_CPE_ID_NAME)$$($(3)_CPE_ID_VERSION)$$($(3)_CPE_ID_VERSION_MINOR)$$($(3)_CPE_ID_PREFIX),)
+$(2)_CPE_ID_VALID = YES
+endif
+
+# If the CPE ID is valid for the target package so it is for the host
+# package
+ifndef $(2)_CPE_ID_VALID
+ ifdef $(3)_CPE_ID_VALID
+   $(2)_CPE_ID_VALID = $$($(3)_CPE_ID_VALID)
+ endif
+endif
+
+ifeq ($$($(2)_CPE_ID_VALID),YES)
+ # CPE_ID_VENDOR
+ ifndef $(2)_CPE_ID_VENDOR
+  ifdef $(3)_CPE_ID_VENDOR
+   $(2)_CPE_ID_VENDOR = $$($(3)_CPE_ID_VENDOR)
+  else
+   $(2)_CPE_ID_VENDOR = $$($(2)_RAWNAME)_project
+ endif
+ endif
+
+ # CPE_ID_NAME
+ ifndef $(2)_CPE_ID_NAME
+  ifdef $(3)_CPE_ID_NAME
+   $(2)_CPE_ID_NAME = $$($(3)_CPE_ID_NAME)
+  else
+   $(2)_CPE_ID_NAME = $$($(2)_RAWNAME)
+  endif
+ endif
+
+ # CPE_ID_VERSION
+ ifndef $(2)_CPE_ID_VERSION
+  ifdef $(3)_CPE_ID_VERSION
+   $(2)_CPE_ID_VERSION = $$($(3)_CPE_ID_VERSION)
+  else
+   $(2)_CPE_ID_VERSION = $$($(2)_VERSION)
+  endif
+ endif
+
+ # CPE_ID_VERSION_MINOR
+ ifndef $(2)_CPE_ID_VERSION_MINOR
+  ifdef $(3)_CPE_ID_VERSION_MINOR
+   $(2)_CPE_ID_VERSION_MINOR = $$($(3)_CPE_ID_VERSION_MINOR)
+  else
+   $(2)_CPE_ID_VERSION_MINOR = *
+  endif
+ endif
+
+ # CPE_ID_PREFIX
+ ifndef $(2)_CPE_ID_PREFIX
+  ifdef $(3)_CPE_ID_PREFIX
+   $(2)_CPE_ID_PREFIX = $$($(3)_CPE_ID_PREFIX)
+  else
+   $(2)_CPE_ID_PREFIX = cpe:2.3:a
+  endif
+ endif
+
+ # Calculate complete CPE ID
+ $(2)_CPE_ID = $$($(2)_CPE_ID_PREFIX):$$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION):$$($(2)_CPE_ID_VERSION_MINOR):*:*:*:*:*:*
+endif # ifeq ($$($(2)_CPE_ID_VALID),YES)
+
 # When a target package is a toolchain dependency set this variable to
 # 'NO' so the 'toolchain' dependency is not added to prevent a circular
 # dependency.
-- 
2.26.2

[Buildroot] [PATCH 03/10] package/pkg-generic.mk: add CPE ID related package variables

[Matthew Weber]

Thomas / Greg,

On Wed, Nov 4, 2020 at 8:53 AM Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
>
> From: Matt Weber <matthew.weber@rockwellcollins.com>
>
> Currently, the match between Buildroot packages and CVEs is solely
> based on the package names. Unfortunately, as one can imagine, there
> isn't necessarily a strict mapping between Buildroot package names,
> and how software projects are referenced in the National Vulnerability
> Database (NVD) which we use.
>
> The NVD has defined the concept of CPE (Common Platform Enumeration)
> identifiers, which uniquely identifies software components based on
> string looking like this:
>
>   cpe:2.3:a:netsurf-browser:libnsbmp:0.1.2:*:*:*:*:*:*:*
>
> In particular, this CPE identifier contains a vendor name (here
> "netsurf-browser"), a product name (here "libnsbmp") and a version
> (here "0.1.2").
>
> This patch series introduces the concept of CPE ID in Buildroot, where
> each package can be associated to a CPE ID. A package can define one
> or several of:
>
>  - <pkg>_CPE_ID_VENDOR
>  - <pkg>_CPE_ID_PRODUCT
>  - <pkg>_CPE_ID_VERSION
>  - <pkg>_CPE_ID_VERSION_MINOR
>  - <pkg>_CPE_ID_PREFIX
>
> If one or several of those variables are defined, then the
> <pkg>_CPE_ID will be defined by the generic package infrastructure as
> follows:
>
>   $(2)_CPE_ID = $$($(2)_CPE_ID_PREFIX):$$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION):$$($(2)_CPE_ID_VERSION_MINOR):*:*:*:*:*:*
>
> <pkg>_CPE_ID_* variables that are not explicitly specified by the
> package will carry a default value defined by the generic package
> infrastructure.
>
> If a package is happy with the default <pkg>_CPE_ID, and therefore
> does not need to define any of <pkg>_CPE_ID_{VENDOR,PRODUCT,...}, it
> can set <pkg>_CPE_ID_VALID = YES.
>
> If any of the <pkg>_CPE_ID_{VENDOR,PRODUCT,...} variables are defined
> by the package, then <pkg>_CPE_ID_VALID = YES will be set by the
> generic package infrastructure.

Oh good call, so we don't need to explicitly set the VALID if we've
already tailored it.

>
> Then, it's only if <pkg>_CPE_ID_VALID = YES that a <pkg>_CPE_ID will
> be defined. Indeed, we want to be able to distinguish packages for
> which the CPE ID information has been checked and is considered valid,
> from packages for which the CPE ID information has never been
> verified. For thise reason, we cannot simply define a default value

Spelling thise -> this

This was a good addition as now it is easy to tell what has been verified.

Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>

[Buildroot] [PATCH 03/10] package/pkg-generic.mk: add CPE ID related package variables

[Thomas Petazzoni]

Hello,

On Wed, 4 Nov 2020 11:03:04 -0600
Matthew Weber <matthew.weber@rockwellcollins.com> wrote:

> > If any of the <pkg>_CPE_ID_{VENDOR,PRODUCT,...} variables are defined
> > by the package, then <pkg>_CPE_ID_VALID = YES will be set by the
> > generic package infrastructure.  
> 
> Oh good call, so we don't need to explicitly set the VALID if we've
> already tailored it.

That is the idea.

The only thing I am not fully happy with is that a package can't set
directly <pkg>_CPE_ID, only the infrastructure can do that. I couldn't
figure out a reasonable way to allow a package to set <pkg>_CPE_ID
while still keeping the generic-package code simple enough *and* match
the other constraints that we have.

Thanks,

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 03/10] package/pkg-generic.mk: add CPE ID related package variables

[Heiko Thiery]

Hi Thomas,

Am Mi., 4. Nov. 2020 um 15:52 Uhr schrieb Thomas Petazzoni
<thomas.petazzoni@bootlin.com>:
>
> From: Matt Weber <matthew.weber@rockwellcollins.com>
>
> Currently, the match between Buildroot packages and CVEs is solely
> based on the package names. Unfortunately, as one can imagine, there
> isn't necessarily a strict mapping between Buildroot package names,
> and how software projects are referenced in the National Vulnerability
> Database (NVD) which we use.
>
> The NVD has defined the concept of CPE (Common Platform Enumeration)
> identifiers, which uniquely identifies software components based on
> string looking like this:
>
>   cpe:2.3:a:netsurf-browser:libnsbmp:0.1.2:*:*:*:*:*:*:*
>
> In particular, this CPE identifier contains a vendor name (here
> "netsurf-browser"), a product name (here "libnsbmp") and a version
> (here "0.1.2").
>
> This patch series introduces the concept of CPE ID in Buildroot, where
> each package can be associated to a CPE ID. A package can define one
> or several of:
>
>  - <pkg>_CPE_ID_VENDOR
>  - <pkg>_CPE_ID_PRODUCT
>  - <pkg>_CPE_ID_VERSION
>  - <pkg>_CPE_ID_VERSION_MINOR
>  - <pkg>_CPE_ID_PREFIX
>
> If one or several of those variables are defined, then the
> <pkg>_CPE_ID will be defined by the generic package infrastructure as
> follows:
>
>   $(2)_CPE_ID = $$($(2)_CPE_ID_PREFIX):$$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION):$$($(2)_CPE_ID_VERSION_MINOR):*:*:*:*:*:*
>
> <pkg>_CPE_ID_* variables that are not explicitly specified by the
> package will carry a default value defined by the generic package
> infrastructure.
>
> If a package is happy with the default <pkg>_CPE_ID, and therefore
> does not need to define any of <pkg>_CPE_ID_{VENDOR,PRODUCT,...}, it
> can set <pkg>_CPE_ID_VALID = YES.
>
> If any of the <pkg>_CPE_ID_{VENDOR,PRODUCT,...} variables are defined
> by the package, then <pkg>_CPE_ID_VALID = YES will be set by the
> generic package infrastructure.
>
> Then, it's only if <pkg>_CPE_ID_VALID = YES that a <pkg>_CPE_ID will
> be defined. Indeed, we want to be able to distinguish packages for
> which the CPE ID information has been checked and is considered valid,
> from packages for which the CPE ID information has never been
> verified. For thise reason, we cannot simply define a default value
> for <pkg>_CPE_ID.
>
> The <pkg>_CPE_ID_* values for the host package are inherited from the
> same variables of the corresponding target package, as we normally do
> for most package variables.
>
> Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> ---
>  package/pkg-generic.mk | 70 ++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 70 insertions(+)
>
> diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk
> index 54de03da03..621fb91424 100644
> --- a/package/pkg-generic.mk
> +++ b/package/pkg-generic.mk
> @@ -608,6 +608,76 @@ $(2)_REDISTRIBUTE          ?= YES
>
>  $(2)_REDIST_SOURCES_DIR = $$(REDIST_SOURCES_DIR_$$(call UPPERCASE,$(4)))/$$($(2)_BASENAME_RAW)
>
> +# If any of the <pkg>_CPE_ID_* variables are set, we assume the CPE ID
> +# information is valid for this package.
> +ifneq ($$($(2)_CPE_ID_VENDOR)$$($(2)_CPE_ID_NAME)$$($(2)_CPE_ID_VERSION)$$($(2)_CPE_ID_VERSION_MINOR)$$($(2)_CPE_ID_PREFIX),)
> +$(2)_CPE_ID_VALID = YES
> +endif
> +
> +# When we're a host package, make sure to use the variables of the
> +# corresponding target package, if any.
> +ifneq ($$($(3)_CPE_ID_VENDOR)$$($(3)_CPE_ID_NAME)$$($(3)_CPE_ID_VERSION)$$($(3)_CPE_ID_VERSION_MINOR)$$($(3)_CPE_ID_PREFIX),)
> +$(2)_CPE_ID_VALID = YES
> +endif
> +
> +# If the CPE ID is valid for the target package so it is for the host
> +# package
> +ifndef $(2)_CPE_ID_VALID
> + ifdef $(3)_CPE_ID_VALID
> +   $(2)_CPE_ID_VALID = $$($(3)_CPE_ID_VALID)
> + endif
> +endif
> +
> +ifeq ($$($(2)_CPE_ID_VALID),YES)
> + # CPE_ID_VENDOR
> + ifndef $(2)_CPE_ID_VENDOR
> +  ifdef $(3)_CPE_ID_VENDOR
> +   $(2)_CPE_ID_VENDOR = $$($(3)_CPE_ID_VENDOR)
> +  else
> +   $(2)_CPE_ID_VENDOR = $$($(2)_RAWNAME)_project
> + endif
> + endif
> +
> + # CPE_ID_NAME
> + ifndef $(2)_CPE_ID_NAME
> +  ifdef $(3)_CPE_ID_NAME
> +   $(2)_CPE_ID_NAME = $$($(3)_CPE_ID_NAME)
> +  else
> +   $(2)_CPE_ID_NAME = $$($(2)_RAWNAME)
> +  endif
> + endif
> +
> + # CPE_ID_VERSION
> + ifndef $(2)_CPE_ID_VERSION
> +  ifdef $(3)_CPE_ID_VERSION
> +   $(2)_CPE_ID_VERSION = $$($(3)_CPE_ID_VERSION)
> +  else
> +   $(2)_CPE_ID_VERSION = $$($(2)_VERSION)
> +  endif
> + endif
> +
> + # CPE_ID_VERSION_MINOR
> + ifndef $(2)_CPE_ID_VERSION_MINOR
> +  ifdef $(3)_CPE_ID_VERSION_MINOR
> +   $(2)_CPE_ID_VERSION_MINOR = $$($(3)_CPE_ID_VERSION_MINOR)
> +  else
> +   $(2)_CPE_ID_VERSION_MINOR = *
> +  endif
> + endif
> +
> + # CPE_ID_PREFIX
> + ifndef $(2)_CPE_ID_PREFIX
> +  ifdef $(3)_CPE_ID_PREFIX
> +   $(2)_CPE_ID_PREFIX = $$($(3)_CPE_ID_PREFIX)
> +  else
> +   $(2)_CPE_ID_PREFIX = cpe:2.3:a
> +  endif
> + endif
> +
> + # Calculate complete CPE ID
> + $(2)_CPE_ID = $$($(2)_CPE_ID_PREFIX):$$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION):$$($(2)_CPE_ID_VERSION_MINOR):*:*:*:*:*:*
> +endif # ifeq ($$($(2)_CPE_ID_VALID),YES)
> +
>  # When a target package is a toolchain dependency set this variable to
>  # 'NO' so the 'toolchain' dependency is not added to prevent a circular
>  # dependency.

Reviewed-by: Heiko Thiery <heiko.thiery@gmail.com>

Thank you

-- 
Heiko

[Buildroot] [PATCH 03/10] package/pkg-generic.mk: add CPE ID related package variables

[Thomas Petazzoni]

On Wed,  4 Nov 2020 15:51:37 +0100
Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote:

> From: Matt Weber <matthew.weber@rockwellcollins.com>
> 
> Currently, the match between Buildroot packages and CVEs is solely
> based on the package names. Unfortunately, as one can imagine, there
> isn't necessarily a strict mapping between Buildroot package names,
> and how software projects are referenced in the National Vulnerability
> Database (NVD) which we use.
> 
> The NVD has defined the concept of CPE (Common Platform Enumeration)
> identifiers, which uniquely identifies software components based on
> string looking like this:
> 
>   cpe:2.3:a:netsurf-browser:libnsbmp:0.1.2:*:*:*:*:*:*:*
> 
> In particular, this CPE identifier contains a vendor name (here
> "netsurf-browser"), a product name (here "libnsbmp") and a version
> (here "0.1.2").
> 
> This patch series introduces the concept of CPE ID in Buildroot, where
> each package can be associated to a CPE ID. A package can define one
> or several of:
> 
>  - <pkg>_CPE_ID_VENDOR
>  - <pkg>_CPE_ID_PRODUCT
>  - <pkg>_CPE_ID_VERSION
>  - <pkg>_CPE_ID_VERSION_MINOR
>  - <pkg>_CPE_ID_PREFIX
> 
> If one or several of those variables are defined, then the
> <pkg>_CPE_ID will be defined by the generic package infrastructure as
> follows:
> 
>   $(2)_CPE_ID = $$($(2)_CPE_ID_PREFIX):$$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION):$$($(2)_CPE_ID_VERSION_MINOR):*:*:*:*:*:*
> 
> <pkg>_CPE_ID_* variables that are not explicitly specified by the
> package will carry a default value defined by the generic package
> infrastructure.
> 
> If a package is happy with the default <pkg>_CPE_ID, and therefore
> does not need to define any of <pkg>_CPE_ID_{VENDOR,PRODUCT,...}, it
> can set <pkg>_CPE_ID_VALID = YES.
> 
> If any of the <pkg>_CPE_ID_{VENDOR,PRODUCT,...} variables are defined
> by the package, then <pkg>_CPE_ID_VALID = YES will be set by the
> generic package infrastructure.
> 
> Then, it's only if <pkg>_CPE_ID_VALID = YES that a <pkg>_CPE_ID will
> be defined. Indeed, we want to be able to distinguish packages for
> which the CPE ID information has been checked and is considered valid,
> from packages for which the CPE ID information has never been
> verified. For thise reason, we cannot simply define a default value
> for <pkg>_CPE_ID.
> 
> The <pkg>_CPE_ID_* values for the host package are inherited from the
> same variables of the corresponding target package, as we normally do
> for most package variables.
> 
> Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> ---
>  package/pkg-generic.mk | 70 ++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 70 insertions(+)

Considering this has been started by Matt Weber, then looked at by
Gr?gory Clement, then by me, and finally Reviewed-by both Matt and
Heiko, I've applied this change to next.

Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 04/10] docs/manual: document <pkg>_CPE_ID variables

[Thomas Petazzoni]

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 docs/manual/adding-packages-generic.txt | 39 +++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/docs/manual/adding-packages-generic.txt b/docs/manual/adding-packages-generic.txt
index b8bfcb4aff..3fcf741a1a 100644
--- a/docs/manual/adding-packages-generic.txt
+++ b/docs/manual/adding-packages-generic.txt
@@ -502,6 +502,45 @@ LIBFOO_IGNORE_CVES += CVE-2020-12345
 LIBFOO_IGNORE_CVES += CVE-2020-54321
 ----------------------
 
+* +LIBFOO_CPE_ID_*+ variables is a set of variables that allows the
+  package to define its https://nvd.nist.gov/products/cpe[CPE
+  identifier]. The available variables are:
++
+--
+** +LIBFOO_CPE_ID_PREFIX+, specifies the prefix of the CPE identifier,
+   i.e the first three fields. When not defined, the default value is
+   +cpe:2.3:a+.
+
+** +LIBFOO_CPE_ID_VENDOR+, specifies the vendor part of the CPE
+   identifier. When not defined, the default value is
+   +<pkgname>_project+.
+
+** +LIBFOO_CPE_ID_PRODUCT+, specifies the product part of the CPE
+   identifier. When not defined, the default value is +<pkgname>+.
+
+** +LIBFOO_CPE_ID_VERSION+, specifies the version part of the CPE
+   identifier. When not defined the default value is
+   +$(LIBFOO_VERSION)+.
+
+** +LIBFOO_CPE_ID_VERSION_MINOR+ specifies the _update_ part of the
+   CPE identifier. When not defined the default value is +*+.
+--
++
+If any of those variables is defined, then the generic package
+infrastructure assumes the package provides valid CPE information. In
+this case, +LIBFOO_CPE_ID_VALID = YES+ will be sent, and the generic
+package infrastructure will define +LIBFOO_CPE_ID+.
++
+Alternatively, a package can also explicitly set +LIBFOO_CPE_ID_VALID
+= YES+ if the default values for +LIBFOO_CPE_ID_PREFIX+,
++LIBFOO_CPE_ID_VENDOR+, +LIBFOO_CPE_ID_PRODUCT+,
++LIBFOO_CPE_ID_VERSION+, +LIBFOO_CPE_ID_VERSION_MINOR+ are all correct
+for this package and don't need to be explicitly overridden.
++
+For a host package, if its +LIBFOO_CPE_ID_*+ variables are not
+defined, it inherits the value of those variables from the
+corresponding target package.
+
 The recommended way to define these variables is to use the following
 syntax:
 
-- 
2.26.2

[Buildroot] [PATCH 04/10] docs/manual: document <pkg>_CPE_ID variables

[Matthew Weber]

Thomas,

On Wed, Nov 4, 2020 at 8:53 AM Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
>
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> ---
>  docs/manual/adding-packages-generic.txt | 39 +++++++++++++++++++++++++
>  1 file changed, 39 insertions(+)
>
> diff --git a/docs/manual/adding-packages-generic.txt b/docs/manual/adding-packages-generic.txt
> index b8bfcb4aff..3fcf741a1a 100644
> --- a/docs/manual/adding-packages-generic.txt
> +++ b/docs/manual/adding-packages-generic.txt
> @@ -502,6 +502,45 @@ LIBFOO_IGNORE_CVES += CVE-2020-12345
>  LIBFOO_IGNORE_CVES += CVE-2020-54321
>  ----------------------
>
> +* +LIBFOO_CPE_ID_*+ variables is a set of variables that allows the
> +  package to define its https://nvd.nist.gov/products/cpe[CPE
> +  identifier]. The available variables are:
> ++
> +--
> +** +LIBFOO_CPE_ID_PREFIX+, specifies the prefix of the CPE identifier,
> +   i.e the first three fields. When not defined, the default value is
> +   +cpe:2.3:a+.
> +
> +** +LIBFOO_CPE_ID_VENDOR+, specifies the vendor part of the CPE
> +   identifier. When not defined, the default value is
> +   +<pkgname>_project+.
> +
> +** +LIBFOO_CPE_ID_PRODUCT+, specifies the product part of the CPE
> +   identifier. When not defined, the default value is +<pkgname>+.
> +
> +** +LIBFOO_CPE_ID_VERSION+, specifies the version part of the CPE
> +   identifier. When not defined the default value is
> +   +$(LIBFOO_VERSION)+.
> +
> +** +LIBFOO_CPE_ID_VERSION_MINOR+ specifies the _update_ part of the
> +   CPE identifier. When not defined the default value is +*+.
> +--
> ++
> +If any of those variables is defined, then the generic package
> +infrastructure assumes the package provides valid CPE information. In
> +this case, +LIBFOO_CPE_ID_VALID = YES+ will be sent, and the generic
> +package infrastructure will define +LIBFOO_CPE_ID+.
> ++
> +Alternatively, a package can also explicitly set +LIBFOO_CPE_ID_VALID
> += YES+ if the default values for +LIBFOO_CPE_ID_PREFIX+,
> ++LIBFOO_CPE_ID_VENDOR+, +LIBFOO_CPE_ID_PRODUCT+,
> ++LIBFOO_CPE_ID_VERSION+, +LIBFOO_CPE_ID_VERSION_MINOR+ are all correct
> +for this package and don't need to be explicitly overridden.
> ++
> +For a host package, if its +LIBFOO_CPE_ID_*+ variables are not
> +defined, it inherits the value of those variables from the
> +corresponding target package.
> +
>  The recommended way to define these variables is to use the following
>  syntax:
>

Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>

[Buildroot] [PATCH 04/10] docs/manual: document <pkg>_CPE_ID variables

[Heiko Thiery]

Hi Thomas,

Am Mi., 4. Nov. 2020 um 15:52 Uhr schrieb Thomas Petazzoni
<thomas.petazzoni@bootlin.com>:
>
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> ---
>  docs/manual/adding-packages-generic.txt | 39 +++++++++++++++++++++++++
>  1 file changed, 39 insertions(+)
>
> diff --git a/docs/manual/adding-packages-generic.txt b/docs/manual/adding-packages-generic.txt
> index b8bfcb4aff..3fcf741a1a 100644
> --- a/docs/manual/adding-packages-generic.txt
> +++ b/docs/manual/adding-packages-generic.txt
> @@ -502,6 +502,45 @@ LIBFOO_IGNORE_CVES += CVE-2020-12345
>  LIBFOO_IGNORE_CVES += CVE-2020-54321
>  ----------------------
>
> +* +LIBFOO_CPE_ID_*+ variables is a set of variables that allows the
> +  package to define its https://nvd.nist.gov/products/cpe[CPE
> +  identifier]. The available variables are:
> ++
> +--
> +** +LIBFOO_CPE_ID_PREFIX+, specifies the prefix of the CPE identifier,
> +   i.e the first three fields. When not defined, the default value is
> +   +cpe:2.3:a+.
> +
> +** +LIBFOO_CPE_ID_VENDOR+, specifies the vendor part of the CPE
> +   identifier. When not defined, the default value is
> +   +<pkgname>_project+.
> +
> +** +LIBFOO_CPE_ID_PRODUCT+, specifies the product part of the CPE
> +   identifier. When not defined, the default value is +<pkgname>+.
> +
> +** +LIBFOO_CPE_ID_VERSION+, specifies the version part of the CPE
> +   identifier. When not defined the default value is
> +   +$(LIBFOO_VERSION)+.
> +
> +** +LIBFOO_CPE_ID_VERSION_MINOR+ specifies the _update_ part of the
> +   CPE identifier. When not defined the default value is +*+.
> +--
> ++
> +If any of those variables is defined, then the generic package
> +infrastructure assumes the package provides valid CPE information. In
> +this case, +LIBFOO_CPE_ID_VALID = YES+ will be sent, and the generic

s/sent/set/ ?

> +package infrastructure will define +LIBFOO_CPE_ID+.
> ++
> +Alternatively, a package can also explicitly set +LIBFOO_CPE_ID_VALID
> += YES+ if the default values for +LIBFOO_CPE_ID_PREFIX+,
> ++LIBFOO_CPE_ID_VENDOR+, +LIBFOO_CPE_ID_PRODUCT+,
> ++LIBFOO_CPE_ID_VERSION+, +LIBFOO_CPE_ID_VERSION_MINOR+ are all correct
> +for this package and don't need to be explicitly overridden.
> ++
> +For a host package, if its +LIBFOO_CPE_ID_*+ variables are not
> +defined, it inherits the value of those variables from the
> +corresponding target package.
> +
>  The recommended way to define these variables is to use the following
>  syntax:
>

Reviewed-by: Heiko Thiery <heiko.thiery@gmail.com>

-- 
Heiko

[Buildroot] [PATCH 04/10] docs/manual: document <pkg>_CPE_ID variables

[Thomas Petazzoni]

On Wed,  4 Nov 2020 15:51:38 +0100
Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote:

> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> ---
>  docs/manual/adding-packages-generic.txt | 39 +++++++++++++++++++++++++
>  1 file changed, 39 insertions(+)

Both Matt and Heiko have given their Reviewed-by, so I have applied. I
have fixed when applying the typo reported by Heiko.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 05/10] package/pkg-utils.mk: expose CPE ID in show-info when available

[Thomas Petazzoni]

This commit exposes a new per-package property in the "make show-info"
JSON output: "cpe-id", which exists when a valid CPE ID is available
for the package.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 package/pkg-utils.mk | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/package/pkg-utils.mk b/package/pkg-utils.mk
index 4fcb076e21..a2cc160d0b 100644
--- a/package/pkg-utils.mk
+++ b/package/pkg-utils.mk
@@ -119,6 +119,9 @@ define _json-info-pkg
 	"reverse_dependencies": [
 		$(call make-comma-list,$(sort $($(1)_RDEPENDENCIES)))
 	]
+	$(if $($(1)_CPE_ID_VALID), \
+		$(comma) "cpe-id": "$($(1)_CPE_ID)" \
+	)
 	$(if $($(1)_IGNORE_CVES),
 		$(comma) "ignore_cves": [
 			$(call make-comma-list,$(sort $($(1)_IGNORE_CVES)))
-- 
2.26.2

[Buildroot] [PATCH 05/10] package/pkg-utils.mk: expose CPE ID in show-info when available

[Matthew Weber]

Thomas,

On Wed, Nov 4, 2020 at 8:52 AM Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
>
> This commit exposes a new per-package property in the "make show-info"
> JSON output: "cpe-id", which exists when a valid CPE ID is available
> for the package.
>
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> ---
>  package/pkg-utils.mk | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/package/pkg-utils.mk b/package/pkg-utils.mk
> index 4fcb076e21..a2cc160d0b 100644
> --- a/package/pkg-utils.mk
> +++ b/package/pkg-utils.mk
> @@ -119,6 +119,9 @@ define _json-info-pkg
>         "reverse_dependencies": [
>                 $(call make-comma-list,$(sort $($(1)_RDEPENDENCIES)))
>         ]
> +       $(if $($(1)_CPE_ID_VALID), \
> +               $(comma) "cpe-id": "$($(1)_CPE_ID)" \
> +       )

I do want to note that my original series built a CPE listing similar
to legal-info as an output for the user or other scripts to use
outside Buildroot.  This method is way more flexible and I believe can
be leveraged for future patches that could create a Software Bill of
Materials using an external script.

Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>

[Buildroot] [PATCH 05/10] package/pkg-utils.mk: expose CPE ID in show-info when available

[Heiko Thiery]

Hi Thomas,

Am Mi., 4. Nov. 2020 um 15:52 Uhr schrieb Thomas Petazzoni
<thomas.petazzoni@bootlin.com>:
>
> This commit exposes a new per-package property in the "make show-info"
> JSON output: "cpe-id", which exists when a valid CPE ID is available
> for the package.
>
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> ---
>  package/pkg-utils.mk | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/package/pkg-utils.mk b/package/pkg-utils.mk
> index 4fcb076e21..a2cc160d0b 100644
> --- a/package/pkg-utils.mk
> +++ b/package/pkg-utils.mk
> @@ -119,6 +119,9 @@ define _json-info-pkg
>         "reverse_dependencies": [
>                 $(call make-comma-list,$(sort $($(1)_RDEPENDENCIES)))
>         ]
> +       $(if $($(1)_CPE_ID_VALID), \
> +               $(comma) "cpe-id": "$($(1)_CPE_ID)" \
> +       )
>         $(if $($(1)_IGNORE_CVES),
>                 $(comma) "ignore_cves": [
>                         $(call make-comma-list,$(sort $($(1)_IGNORE_CVES)))

Tested-by: Heiko Thiery <heiko.thiery@gmail.com>

Thank you

-- 
Heiko

[Buildroot] [PATCH 05/10] package/pkg-utils.mk: expose CPE ID in show-info when available

[Thomas Petazzoni]

On Wed,  4 Nov 2020 15:51:39 +0100
Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote:

> This commit exposes a new per-package property in the "make show-info"
> JSON output: "cpe-id", which exists when a valid CPE ID is available
> for the package.
> 
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> ---
>  package/pkg-utils.mk | 3 +++
>  1 file changed, 3 insertions(+)

Applied to next, thanks to the review/testing from Matt and Heiko.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 06/10] support/testing/tests/core/test_cpeid: new test

[Thomas Petazzoni]

This commit adds a number of test cases to verify that the CPE_ID_*
variables are properly handled by the generic package infrastructure
and that the "make show-info" JSON output matches what we expect.

A total of 5 different example packages are used to exercise different
scenarios of CPE_ID_* variables usage.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 .../tests/core/cpeid-br2-external/Config.in   |   0
 .../core/cpeid-br2-external/external.desc     |   1 +
 .../tests/core/cpeid-br2-external/external.mk |   1 +
 .../package/cpe-id-pkg1/cpe-id-pkg1.mk        |   4 +
 .../package/cpe-id-pkg2/cpe-id-pkg2.mk        |   3 +
 .../package/cpe-id-pkg3/cpe-id-pkg3.mk        |   5 +
 .../package/cpe-id-pkg4/cpe-id-pkg4.mk        |   9 ++
 .../package/cpe-id-pkg5/cpe-id-pkg5.mk        |  16 +++
 support/testing/tests/core/test_cpeid.py      | 109 ++++++++++++++++++
 9 files changed, 148 insertions(+)
 create mode 100644 support/testing/tests/core/cpeid-br2-external/Config.in
 create mode 100644 support/testing/tests/core/cpeid-br2-external/external.desc
 create mode 100644 support/testing/tests/core/cpeid-br2-external/external.mk
 create mode 100644 support/testing/tests/core/cpeid-br2-external/package/cpe-id-pkg1/cpe-id-pkg1.mk
 create mode 100644 support/testing/tests/core/cpeid-br2-external/package/cpe-id-pkg2/cpe-id-pkg2.mk
 create mode 100644 support/testing/tests/core/cpeid-br2-external/package/cpe-id-pkg3/cpe-id-pkg3.mk
 create mode 100644 support/testing/tests/core/cpeid-br2-external/package/cpe-id-pkg4/cpe-id-pkg4.mk
 create mode 100644 support/testing/tests/core/cpeid-br2-external/package/cpe-id-pkg5/cpe-id-pkg5.mk
 create mode 100644 support/testing/tests/core/test_cpeid.py

diff --git a/support/testing/tests/core/cpeid-br2-external/Config.in b/support/testing/tests/core/cpeid-br2-external/Config.in
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/support/testing/tests/core/cpeid-br2-external/external.desc b/support/testing/tests/core/cpeid-br2-external/external.desc
new file mode 100644
index 0000000000..d19ae79e7a
--- /dev/null
+++ b/support/testing/tests/core/cpeid-br2-external/external.desc
@@ -0,0 +1 @@
+name: CPE_ID
diff --git a/support/testing/tests/core/cpeid-br2-external/external.mk b/support/testing/tests/core/cpeid-br2-external/external.mk
new file mode 100644
index 0000000000..47492d7f82
--- /dev/null
+++ b/support/testing/tests/core/cpeid-br2-external/external.mk
@@ -0,0 +1 @@
+include $(sort $(wildcard $(BR2_EXTERNAL_CPE_ID_PATH)/package/*/*.mk))
diff --git a/support/testing/tests/core/cpeid-br2-external/package/cpe-id-pkg1/cpe-id-pkg1.mk b/support/testing/tests/core/cpeid-br2-external/package/cpe-id-pkg1/cpe-id-pkg1.mk
new file mode 100644
index 0000000000..5e7460286b
--- /dev/null
+++ b/support/testing/tests/core/cpeid-br2-external/package/cpe-id-pkg1/cpe-id-pkg1.mk
@@ -0,0 +1,4 @@
+CPE_ID_PKG1_VERSION = 42
+
+$(eval $(generic-package))
+$(eval $(host-generic-package))
diff --git a/support/testing/tests/core/cpeid-br2-external/package/cpe-id-pkg2/cpe-id-pkg2.mk b/support/testing/tests/core/cpeid-br2-external/package/cpe-id-pkg2/cpe-id-pkg2.mk
new file mode 100644
index 0000000000..12b3f3223f
--- /dev/null
+++ b/support/testing/tests/core/cpeid-br2-external/package/cpe-id-pkg2/cpe-id-pkg2.mk
@@ -0,0 +1,3 @@
+CPE_ID_PKG2_VERSION = 67
+
+$(eval $(host-generic-package))
diff --git a/support/testing/tests/core/cpeid-br2-external/package/cpe-id-pkg3/cpe-id-pkg3.mk b/support/testing/tests/core/cpeid-br2-external/package/cpe-id-pkg3/cpe-id-pkg3.mk
new file mode 100644
index 0000000000..5added78df
--- /dev/null
+++ b/support/testing/tests/core/cpeid-br2-external/package/cpe-id-pkg3/cpe-id-pkg3.mk
@@ -0,0 +1,5 @@
+CPE_ID_PKG3_VERSION = 67
+CPE_ID_PKG3_CPE_ID_VALID = YES
+
+$(eval $(generic-package))
+$(eval $(host-generic-package))
diff --git a/support/testing/tests/core/cpeid-br2-external/package/cpe-id-pkg4/cpe-id-pkg4.mk b/support/testing/tests/core/cpeid-br2-external/package/cpe-id-pkg4/cpe-id-pkg4.mk
new file mode 100644
index 0000000000..c37f73fa82
--- /dev/null
+++ b/support/testing/tests/core/cpeid-br2-external/package/cpe-id-pkg4/cpe-id-pkg4.mk
@@ -0,0 +1,9 @@
+CPE_ID_PKG4_VERSION = 67
+CPE_ID_PKG4_CPE_ID_VENDOR = foo
+CPE_ID_PKG4_CPE_ID_NAME = bar
+CPE_ID_PKG4_CPE_ID_VERSION = 42
+CPE_ID_PKG4_CPE_ID_VERSION_MINOR = b2
+CPE_ID_PKG4_CPE_ID_PREFIX = cpe:2.4:a
+
+$(eval $(generic-package))
+$(eval $(host-generic-package))
diff --git a/support/testing/tests/core/cpeid-br2-external/package/cpe-id-pkg5/cpe-id-pkg5.mk b/support/testing/tests/core/cpeid-br2-external/package/cpe-id-pkg5/cpe-id-pkg5.mk
new file mode 100644
index 0000000000..18e98c4ca4
--- /dev/null
+++ b/support/testing/tests/core/cpeid-br2-external/package/cpe-id-pkg5/cpe-id-pkg5.mk
@@ -0,0 +1,16 @@
+CPE_ID_PKG5_VERSION = 57
+
+CPE_ID_PKG5_CPE_ID_VENDOR = foo
+CPE_ID_PKG5_CPE_ID_NAME = bar
+CPE_ID_PKG5_CPE_ID_VERSION = 42
+CPE_ID_PKG5_CPE_ID_VERSION_MINOR = b2
+CPE_ID_PKG5_CPE_ID_PREFIX = cpe:2.4:a
+
+HOST_CPE_ID_PKG5_CPE_ID_VENDOR = baz
+HOST_CPE_ID_PKG5_CPE_ID_NAME = fuz
+HOST_CPE_ID_PKG5_CPE_ID_VERSION = 43
+HOST_CPE_ID_PKG5_CPE_ID_VERSION_MINOR = b3
+HOST_CPE_ID_PKG5_CPE_ID_PREFIX = cpe:2.5:a
+
+$(eval $(generic-package))
+$(eval $(host-generic-package))
diff --git a/support/testing/tests/core/test_cpeid.py b/support/testing/tests/core/test_cpeid.py
new file mode 100644
index 0000000000..23471e4444
--- /dev/null
+++ b/support/testing/tests/core/test_cpeid.py
@@ -0,0 +1,109 @@
+import infra
+import subprocess
+import json
+
+class CpeIdTest(infra.basetest.BRConfigTest):
+    config = ""
+    br2_external = [infra.filepath("tests/core/cpeid-br2-external")]
+
+    def get_vars(self, var):
+        cmd = ["make", "--no-print-directory", "-C", self.b.builddir,
+               "VARS=%s%%" % var, "printvars"]
+        lines = subprocess.check_output(cmd).splitlines()
+        return dict([str(x, "utf-8").split("=") for x in lines])
+
+    def get_json(self, pkg):
+        cmd = ["make", "--no-print-directory", "-C", self.b.builddir,
+               "%s-show-info" % pkg]
+        return json.loads(subprocess.check_output(cmd))
+
+    def test_pkg1(self):
+        # this package has no CPE ID information, it should not have
+        # any CPE_ID variable defined.
+        pkg_vars = self.get_vars("CPE_ID_PKG1_CPE_ID")
+        cpe_vars = ["CPE_ID_VALID", "CPE_ID_NAME", "CPE_ID_VERSION", "CPE_ID_VERSION_MINOR",
+                    "CPE_ID_PREFIX", "CPE_ID"]
+        for v in cpe_vars:
+            self.assertNotIn("CPE_ID_PKG1_%s" % v, pkg_vars)
+        pkg_json = self.get_json("cpe-id-pkg1")
+        self.assertNotIn("cpe-id", pkg_json['cpe-id-pkg1'])
+
+        pkg_vars = self.get_vars("HOST_CPE_ID_PKG1_CPE_ID")
+        for v in cpe_vars:
+            self.assertNotIn("HOST_CPE_ID_PKG1_%s" % v, pkg_vars)
+        pkg_json = self.get_json("host-cpe-id-pkg1")
+        self.assertNotIn("cpe-id", pkg_json['host-cpe-id-pkg1'])
+
+    def test_pkg2(self):
+        # this package has no CPE ID information, it should not have
+        # any CPE_ID variable defined.
+        pkg_vars = self.get_vars("HOST_CPE_ID_PKG2_CPE_ID")
+        cpe_vars = ["CPE_ID_VALID", "CPE_ID_NAME", "CPE_ID_VERSION", "CPE_ID_VERSION_MINOR",
+                    "CPE_ID_PREFIX", "CPE_ID"]
+        for v in cpe_vars:
+            self.assertNotIn("HOST_CPE_ID_PKG2_%s" % v, pkg_vars)
+        pkg_json = self.get_json("host-cpe-id-pkg2")
+        self.assertNotIn("cpe-id", pkg_json['host-cpe-id-pkg2'])
+
+    def test_pkg3(self):
+        # this package has just <pkg>_CPE_ID_VALID defined, so verify
+        # it has the default CPE_ID value, and that inheritance of the
+        # values for the host package is working
+        pkg_vars = self.get_vars("CPE_ID_PKG3_CPE_ID")
+        self.assertEqual(pkg_vars["CPE_ID_PKG3_CPE_ID"],
+                         "cpe:2.3:a:cpe-id-pkg3_project:cpe-id-pkg3:67:*:*:*:*:*:*:*")
+        self.assertEqual(pkg_vars["CPE_ID_PKG3_CPE_ID_VALID"], "YES")
+        pkg_json = self.get_json("cpe-id-pkg3")
+        self.assertEqual(pkg_json['cpe-id-pkg3']['cpe-id'],
+                         "cpe:2.3:a:cpe-id-pkg3_project:cpe-id-pkg3:67:*:*:*:*:*:*:*")
+
+        pkg_vars = self.get_vars("HOST_CPE_ID_PKG3_CPE_ID")
+        self.assertEqual(pkg_vars["HOST_CPE_ID_PKG3_CPE_ID"],
+                         "cpe:2.3:a:cpe-id-pkg3_project:cpe-id-pkg3:67:*:*:*:*:*:*:*")
+        self.assertEqual(pkg_vars["HOST_CPE_ID_PKG3_CPE_ID_VALID"], "YES")
+        pkg_json = self.get_json("host-cpe-id-pkg3")
+        self.assertEqual(pkg_json['host-cpe-id-pkg3']['cpe-id'],
+                         "cpe:2.3:a:cpe-id-pkg3_project:cpe-id-pkg3:67:*:*:*:*:*:*:*")
+
+    def test_pkg4(self):
+        # this package defines
+        # <pkg>_CPE_ID_{VENDOR,NAME,VERSION,VERSION_MINOR,PREFIX},
+        # make sure we get the computed <pkg>_CPE_ID, and that it is
+        # inherited by the host variant
+        pkg_vars = self.get_vars("CPE_ID_PKG4_CPE_ID")
+        self.assertEqual(pkg_vars["CPE_ID_PKG4_CPE_ID"],
+                         "cpe:2.4:a:foo:bar:42:b2:*:*:*:*:*:*")
+        self.assertEqual(pkg_vars["CPE_ID_PKG4_CPE_ID_VALID"], "YES")
+        pkg_json = self.get_json("cpe-id-pkg4")
+        self.assertEqual(pkg_json['cpe-id-pkg4']['cpe-id'],
+                         "cpe:2.4:a:foo:bar:42:b2:*:*:*:*:*:*")
+
+        pkg_vars = self.get_vars("HOST_CPE_ID_PKG4_CPE_ID")
+        self.assertEqual(pkg_vars["HOST_CPE_ID_PKG4_CPE_ID"],
+                         "cpe:2.4:a:foo:bar:42:b2:*:*:*:*:*:*")
+        self.assertEqual(pkg_vars["HOST_CPE_ID_PKG4_CPE_ID_VALID"], "YES")
+        pkg_json = self.get_json("host-cpe-id-pkg4")
+        self.assertEqual(pkg_json['host-cpe-id-pkg4']['cpe-id'],
+                         "cpe:2.4:a:foo:bar:42:b2:*:*:*:*:*:*")
+
+    def test_pkg5(self):
+        # this package defines
+        # <pkg>_CPE_ID_{VENDOR,NAME,VERSION,VERSION_MINOR,PREFIX} and
+        # HOST_<pkg>_CPE_ID_{VENDOR,NAME,VERSION,VERSION_MINOR,PREFIX}
+        # separately, with different values. Make sure we get the
+        # right <pkg>_CPE_ID and HOST_<pkg>_CPE_ID values.
+        pkg_vars = self.get_vars("CPE_ID_PKG5_CPE_ID")
+        self.assertEqual(pkg_vars["CPE_ID_PKG5_CPE_ID"],
+                         "cpe:2.4:a:foo:bar:42:b2:*:*:*:*:*:*")
+        self.assertEqual(pkg_vars["CPE_ID_PKG5_CPE_ID_VALID"], "YES")
+        pkg_json = self.get_json("cpe-id-pkg5")
+        self.assertEqual(pkg_json['cpe-id-pkg5']['cpe-id'],
+                         "cpe:2.4:a:foo:bar:42:b2:*:*:*:*:*:*")
+
+        pkg_vars = self.get_vars("HOST_CPE_ID_PKG5_CPE_ID")
+        self.assertEqual(pkg_vars["HOST_CPE_ID_PKG5_CPE_ID"],
+                         "cpe:2.5:a:baz:fuz:43:b3:*:*:*:*:*:*")
+        self.assertEqual(pkg_vars["HOST_CPE_ID_PKG5_CPE_ID_VALID"], "YES")
+        pkg_json = self.get_json("host-cpe-id-pkg5")
+        self.assertEqual(pkg_json['host-cpe-id-pkg5']['cpe-id'],
+                         "cpe:2.5:a:baz:fuz:43:b3:*:*:*:*:*:*")
-- 
2.26.2

[Buildroot] [PATCH 06/10] support/testing/tests/core/test_cpeid: new test

[Matthew Weber]

Thomas,

On Wed, Nov 4, 2020 at 8:54 AM Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
>
> This commit adds a number of test cases to verify that the CPE_ID_*
> variables are properly handled by the generic package infrastructure
> and that the "make show-info" JSON output matches what we expect.
>
> A total of 5 different example packages are used to exercise different
> scenarios of CPE_ID_* variables usage.

Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>

[Buildroot] [PATCH 06/10] support/testing/tests/core/test_cpeid: new test

[Thomas Petazzoni]

On Wed,  4 Nov 2020 15:51:40 +0100
Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote:

> This commit adds a number of test cases to verify that the CPE_ID_*
> variables are properly handled by the generic package infrastructure
> and that the "make show-info" JSON output matches what we expect.
> 
> A total of 5 different example packages are used to exercise different
> scenarios of CPE_ID_* variables usage.
> 
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> ---
>  .../tests/core/cpeid-br2-external/Config.in   |   0
>  .../core/cpeid-br2-external/external.desc     |   1 +
>  .../tests/core/cpeid-br2-external/external.mk |   1 +
>  .../package/cpe-id-pkg1/cpe-id-pkg1.mk        |   4 +
>  .../package/cpe-id-pkg2/cpe-id-pkg2.mk        |   3 +
>  .../package/cpe-id-pkg3/cpe-id-pkg3.mk        |   5 +
>  .../package/cpe-id-pkg4/cpe-id-pkg4.mk        |   9 ++
>  .../package/cpe-id-pkg5/cpe-id-pkg5.mk        |  16 +++
>  support/testing/tests/core/test_cpeid.py      | 109 ++++++++++++++++++
>  9 files changed, 148 insertions(+)
>  create mode 100644 support/testing/tests/core/cpeid-br2-external/Config.in
>  create mode 100644 support/testing/tests/core/cpeid-br2-external/external.desc
>  create mode 100644 support/testing/tests/core/cpeid-br2-external/external.mk
>  create mode 100644 support/testing/tests/core/cpeid-br2-external/package/cpe-id-pkg1/cpe-id-pkg1.mk
>  create mode 100644 support/testing/tests/core/cpeid-br2-external/package/cpe-id-pkg2/cpe-id-pkg2.mk
>  create mode 100644 support/testing/tests/core/cpeid-br2-external/package/cpe-id-pkg3/cpe-id-pkg3.mk
>  create mode 100644 support/testing/tests/core/cpeid-br2-external/package/cpe-id-pkg4/cpe-id-pkg4.mk
>  create mode 100644 support/testing/tests/core/cpeid-br2-external/package/cpe-id-pkg5/cpe-id-pkg5.mk
>  create mode 100644 support/testing/tests/core/test_cpeid.py

Applied to next thanks to the Reviewed-by from Matt.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 07/10] support/scripts/cve-checker: show CPE ID in results

[Thomas Petazzoni]

From: Gregory CLEMENT <gregory.clement@bootlin.com>

This commit improves the cve-checker script to show the CPE ID of
packages, if available. For now, it doesn't use CPE IDs to match CVEs.

Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 support/scripts/cve-checker | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/support/scripts/cve-checker b/support/scripts/cve-checker
index ff110fc17c..421202d049 100755
--- a/support/scripts/cve-checker
+++ b/support/scripts/cve-checker
@@ -26,9 +26,10 @@ import cve as cvecheck
 
 
 class Package:
-    def __init__(self, name, version, ignored_cves):
+    def __init__(self, name, version, cpeid, ignored_cves):
         self.name = name
         self.version = version
+        self.cpeid = cpeid
         self.cves = list()
         self.ignored_cves = ignored_cves
 
@@ -106,6 +107,19 @@ def dump_html_pkg(f, pkg):
         f.write("   <a href=\"https://security-tracker.debian.org/tracker/%s\">%s<br/>\n" % (cve, cve))
     f.write("  </td>\n")
 
+    # CPE ID
+    td_class = ["left"]
+    if pkg.cpeid:
+        td_class.append("correct")
+    else:
+        td_class.append("wrong")
+    f.write("  <td class=\"%s\">\n" % " ".join(td_class))
+    if pkg.cpeid:
+        f.write("  <code>%s</code>\n" % pkg.cpeid)
+    else:
+        f.write("  N/A\n")
+    f.write("  </td>\n")
+
     f.write(" </tr>\n")
 
 
@@ -116,6 +130,7 @@ def dump_html_all_pkgs(f, packages):
 <td>Package</td>
 <td class=\"centered\">Version</td>
 <td class=\"centered\">CVEs</td>
++<td class=\"centered\">CPE ID</td>
 </tr>
 """)
     for pkg in packages:
@@ -141,6 +156,7 @@ def dump_json(packages, date, output):
         pkg.name: {
             "version": pkg.version,
             "cves": pkg.cves,
+            "cpe-id": pkg.cpeid,
         } for pkg in packages
     }
     # The actual structure to dump, add date to it
@@ -170,7 +186,6 @@ def parse_args():
         parser.error('at least one of --html or --json (or both) is required')
     return args
 
-
 def __main__():
     args = parse_args()
 
@@ -178,7 +193,7 @@ def __main__():
     content = json.load(sys.stdin)
     for item in content:
         pkg = content[item]
-        p = Package(item, pkg.get('version', ''), pkg.get('ignore_cves', ''))
+        p = Package(item, pkg.get('version', ''), pkg.get('cpe-id', None), pkg.get('ignore_cves', ''))
         packages.append(p)
 
     date = datetime.datetime.utcnow()
-- 
2.26.2

[Buildroot] [PATCH 07/10] support/scripts/cve-checker: show CPE ID in results

[Matthew Weber]

Thomas / Greg,

On Wed, Nov 4, 2020 at 8:52 AM Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
>
> From: Gregory CLEMENT <gregory.clement@bootlin.com>
>
> This commit improves the cve-checker script to show the CPE ID of
> packages, if available. For now, it doesn't use CPE IDs to match CVEs.
>
> Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> ---
>  support/scripts/cve-checker | 21 ++++++++++++++++++---
>  1 file changed, 18 insertions(+), 3 deletions(-)
>
> diff --git a/support/scripts/cve-checker b/support/scripts/cve-checker
> index ff110fc17c..421202d049 100755
> --- a/support/scripts/cve-checker
> +++ b/support/scripts/cve-checker
> @@ -26,9 +26,10 @@ import cve as cvecheck
>
>
>  class Package:
> -    def __init__(self, name, version, ignored_cves):
> +    def __init__(self, name, version, cpeid, ignored_cves):
>          self.name = name
>          self.version = version
> +        self.cpeid = cpeid
>          self.cves = list()
>          self.ignored_cves = ignored_cves
>
> @@ -106,6 +107,19 @@ def dump_html_pkg(f, pkg):
>          f.write("   <a href=\"https://security-tracker.debian.org/tracker/%s\">%s<br/>\n" % (cve, cve))
>      f.write("  </td>\n")
>
> +    # CPE ID
> +    td_class = ["left"]
> +    if pkg.cpeid:
> +        td_class.append("correct")
> +    else:
> +        td_class.append("wrong")
> +    f.write("  <td class=\"%s\">\n" % " ".join(td_class))
> +    if pkg.cpeid:
> +        f.write("  <code>%s</code>\n" % pkg.cpeid)
> +    else:
> +        f.write("  N/A\n")
> +    f.write("  </td>\n")
> +


Similar question as in the pkgstats about including host package CPE
IDs in the listing.

[Buildroot] [PATCH 07/10] support/scripts/cve-checker: show CPE ID in results

[Thomas Petazzoni]

On Wed,  4 Nov 2020 15:51:41 +0100
Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote:

> From: Gregory CLEMENT <gregory.clement@bootlin.com>
> 
> This commit improves the cve-checker script to show the CPE ID of
> packages, if available. For now, it doesn't use CPE IDs to match CVEs.
> 
> Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> ---
>  support/scripts/cve-checker | 21 ++++++++++++++++++---
>  1 file changed, 18 insertions(+), 3 deletions(-)

Since cve-checker is no longer part of Buildroot, this patch no longer
makes sense, and I marked it as Non Applicable in patchwork.

Best regards,

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 08/10] support/script/pkg-stats: show CPE ID in results

[Thomas Petazzoni]

From: Gregory CLEMENT <gregory.clement@bootlin.com>

This commit improves the pkg-stats script to show the CPE ID of
packages, if available. For now, it doesn't use CPE IDs to match CVEs.

Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 support/scripts/pkg-stats | 44 ++++++++++++++++++++++++++++++++++++++-
 1 file changed, 43 insertions(+), 1 deletion(-)

diff --git a/support/scripts/pkg-stats b/support/scripts/pkg-stats
index 503cc45c16..0a48cf9581 100755
--- a/support/scripts/pkg-stats
+++ b/support/scripts/pkg-stats
@@ -76,6 +76,7 @@ class Package:
     all_license_files = list()
     all_versions = dict()
     all_ignored_cves = dict()
+    all_cpeids = dict ()
     # This is the list of all possible checks. Add new checks to this list so
     # a tool that post-processeds the json output knows the checks before
     # iterating over the packages.
@@ -96,6 +97,7 @@ class Package:
         self.current_version = None
         self.url = None
         self.url_worker = None
+        self.cpeid = None
         self.cves = list()
         self.latest_version = {'status': RM_API_STATUS_ERROR, 'version': None, 'id': None}
         self.status = {}
@@ -210,6 +212,14 @@ class Package:
         if var in self.all_versions:
             self.current_version = self.all_versions[var]
 
+    def set_cpeid(self):
+        """
+        Fills in the .cpeid field
+        """
+        var = self.pkgvar()
+        if var in self.all_cpeids:
+            self.cpeid = self.all_cpeids[var]
+
     def set_check_package_warnings(self):
         """
         Fills in the .warnings and .status['pkg-check'] fields
@@ -333,7 +343,7 @@ def get_pkglist(npackages, package_list):
 def package_init_make_info():
     # Fetch all variables at once
     variables = subprocess.check_output(["make", "BR2_HAVE_DOT_CONFIG=y", "-s", "printvars",
-                                         "VARS=%_LICENSE %_LICENSE_FILES %_VERSION %_IGNORE_CVES"])
+                                         "VARS=%_LICENSE %_LICENSE_FILES %_VERSION %_IGNORE_CVES %_CPE_ID"])
     variable_list = variables.decode().splitlines()
 
     # We process first the host package VERSION, and then the target
@@ -371,6 +381,9 @@ def package_init_make_info():
             pkgvar = pkgvar[:-12]
             Package.all_ignored_cves[pkgvar] = value.split()
 
+        elif pkgvar.endswith("_CPE_ID"):
+            pkgvar = pkgvar[:-7]
+            Package.all_cpeids[pkgvar] = value
 
 check_url_count = 0
 
@@ -578,6 +591,10 @@ def calculate_stats(packages):
         stats["total-cves"] += len(pkg.cves)
         if len(pkg.cves) != 0:
             stats["pkg-cves"] += 1
+        if pkg.cpeid:
+            stats["cpe-id"] += 1
+        else:
+            stats["no-cpe-id"] += 1
     return stats
 
 
@@ -800,6 +817,19 @@ def dump_html_pkg(f, pkg):
         f.write("   <a href=\"https://security-tracker.debian.org/tracker/%s\">%s<br/>\n" % (cve, cve))
     f.write("  </td>\n")
 
+    # CPE ID
+    td_class = ["left"]
+    if pkg.cpeid:
+        td_class.append("correct")
+    else:
+        td_class.append("wrong")
+    f.write("  <td class=\"%s\">\n" % " ".join(td_class))
+    if pkg.cpeid:
+        f.write("  <code>%s</code>\n" % pkg.cpeid)
+    else:
+        f.write("  N/A\n")
+    f.write("  </td>\n")
+
     f.write(" </tr>\n")
 
 
@@ -818,6 +848,7 @@ def dump_html_all_pkgs(f, packages):
 <td class=\"centered\">Warnings</td>
 <td class=\"centered\">Upstream URL</td>
 <td class=\"centered\">CVEs</td>
+<td class=\"centered\">CPE ID</td>
 </tr>
 """)
     for pkg in sorted(packages):
@@ -860,6 +891,10 @@ def dump_html_stats(f, stats):
             stats["pkg-cves"])
     f.write("<tr><td>Total number of CVEs affecting all packages</td><td>%s</td></tr>\n" %
             stats["total-cves"])
+    f.write("<tr><td>Packages with CPE ID</td><td>%s</td></tr>\n" %
+            stats["cpe-id"])
+    f.write("<tr><td>Packages without CPE ID</td><td>%s</td></tr>\n" %
+            stats["no-cpe-id"])
     f.write("</table>\n")
 
 
@@ -932,11 +967,17 @@ def parse_args():
                           help='List of packages (comma separated)')
     parser.add_argument('--nvd-path', dest='nvd_path',
                         help='Path to the local NVD database', type=resolvepath)
+    parser.add_argument("--cpeid", action='store_true')
     args = parser.parse_args()
     if not args.html and not args.json:
         parser.error('at least one of --html or --json (or both) is required')
     return args
 
+def cpeid_name(pkg):
+    try:
+        return pkg.cpeid.split(':')[1]
+    except:
+        return ''
 
 def __main__():
     args = parse_args()
@@ -965,6 +1006,7 @@ def __main__():
         pkg.set_patch_count()
         pkg.set_check_package_warnings()
         pkg.set_current_version()
+        pkg.set_cpeid()
         pkg.set_url()
         pkg.set_developers(developers)
     print("Checking URL status")
-- 
2.26.2

[Buildroot] [PATCH 08/10] support/script/pkg-stats: show CPE ID in results

[Matthew Weber]

Thomas / Greg,

On Wed, Nov 4, 2020 at 8:53 AM Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
>
> From: Gregory CLEMENT <gregory.clement@bootlin.com>
>
> This commit improves the pkg-stats script to show the CPE ID of
> packages, if available. For now, it doesn't use CPE IDs to match CVEs.
>

Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>

> Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> ---
>  support/scripts/pkg-stats | 44 ++++++++++++++++++++++++++++++++++++++-
>  1 file changed, 43 insertions(+), 1 deletion(-)
>
> diff --git a/support/scripts/pkg-stats b/support/scripts/pkg-stats
> index 503cc45c16..0a48cf9581 100755
> --- a/support/scripts/pkg-stats
> +++ b/support/scripts/pkg-stats
> @@ -76,6 +76,7 @@ class Package:
>      all_license_files = list()
>      all_versions = dict()
>      all_ignored_cves = dict()
> +    all_cpeids = dict ()
>      # This is the list of all possible checks. Add new checks to this list so
>      # a tool that post-processeds the json output knows the checks before
>      # iterating over the packages.
> @@ -96,6 +97,7 @@ class Package:
>          self.current_version = None
>          self.url = None
>          self.url_worker = None
> +        self.cpeid = None
>          self.cves = list()
>          self.latest_version = {'status': RM_API_STATUS_ERROR, 'version': None, 'id': None}
>          self.status = {}
> @@ -210,6 +212,14 @@ class Package:
>          if var in self.all_versions:
>              self.current_version = self.all_versions[var]
>
> +    def set_cpeid(self):
> +        """
> +        Fills in the .cpeid field
> +        """
> +        var = self.pkgvar()
> +        if var in self.all_cpeids:
> +            self.cpeid = self.all_cpeids[var]
> +
>      def set_check_package_warnings(self):
>          """
>          Fills in the .warnings and .status['pkg-check'] fields
> @@ -333,7 +343,7 @@ def get_pkglist(npackages, package_list):
>  def package_init_make_info():
>      # Fetch all variables at once
>      variables = subprocess.check_output(["make", "BR2_HAVE_DOT_CONFIG=y", "-s", "printvars",
> -                                         "VARS=%_LICENSE %_LICENSE_FILES %_VERSION %_IGNORE_CVES"])
> +                                         "VARS=%_LICENSE %_LICENSE_FILES %_VERSION %_IGNORE_CVES %_CPE_ID"])
>      variable_list = variables.decode().splitlines()
>
>      # We process first the host package VERSION, and then the target
> @@ -371,6 +381,9 @@ def package_init_make_info():
>              pkgvar = pkgvar[:-12]
>              Package.all_ignored_cves[pkgvar] = value.split()
>
> +        elif pkgvar.endswith("_CPE_ID"):
> +            pkgvar = pkgvar[:-7]
> +            Package.all_cpeids[pkgvar] = value

I haven't dug that deep yet in the script, but would this populate
host and target CPE ID values?  I know the Infrastructure does note
host/target so there is probably enough information to conditionally
pull the value.

[Buildroot] [PATCH 08/10] support/script/pkg-stats: show CPE ID in results

[Thomas Petazzoni]

On Wed, 4 Nov 2020 11:18:50 -0600
Matthew Weber <matthew.weber@rockwellcollins.com> wrote:

> > +        elif pkgvar.endswith("_CPE_ID"):
> > +            pkgvar = pkgvar[:-7]
> > +            Package.all_cpeids[pkgvar] = value  
> 
> I haven't dug that deep yet in the script, but would this populate
> host and target CPE ID values?  I know the Infrastructure does note
> host/target so there is probably enough information to conditionally
> pull the value.

pkg-stats doesn't have a notion of a package being a host or a target
package. It knows only about packages, be they target, host, or both.

Also, the CPE_ID values are automatically filled in for the host
variant of the package by deriving the one of the corresponding target
package. This is explained in PATCH 03/10 commit log, which states:

"""
The <pkg>_CPE_ID_* values for the host package are inherited from the
same variables of the corresponding target package, as we normally do
for most package variables.
"""

So, if you set any of the <pkg>_CPE_ID_* variables, or
<pkg>_CPE_ID_VALID = YES, then it will apply to both the target and
host package, unless of course you override HOST_<pkg>_CPE_ID_* for
some reason.

Does this help ?

Best regards,

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 08/10] support/script/pkg-stats: show CPE ID in results

[Matthew Weber]

Thomas,


On Thu, Nov 5, 2020 at 11:02 AM Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
>
> On Wed, 4 Nov 2020 11:18:50 -0600
> Matthew Weber <matthew.weber@rockwellcollins.com> wrote:
>
> > > +        elif pkgvar.endswith("_CPE_ID"):
> > > +            pkgvar = pkgvar[:-7]
> > > +            Package.all_cpeids[pkgvar] = value
> >
> > I haven't dug that deep yet in the script, but would this populate
> > host and target CPE ID values?  I know the Infrastructure does note
> > host/target so there is probably enough information to conditionally
> > pull the value.
>
> pkg-stats doesn't have a notion of a package being a host or a target
> package. It knows only about packages, be they target, host, or both.
>
> Also, the CPE_ID values are automatically filled in for the host
> variant of the package by deriving the one of the corresponding target
> package. This is explained in PATCH 03/10 commit log, which states:
>
> """
> The <pkg>_CPE_ID_* values for the host package are inherited from the
> same variables of the corresponding target package, as we normally do
> for most package variables.
> """

Yep, agree I was tracking the fact a host package CPE ID was also
being created.  I was just thinking you could end up with a case of
two CPE IDs, one for a host vs target package.  I guess that really
isn't the case so you can ignore this question.  I was really thinking
of the case like libcurl where the package has two CPE IDs but that
could really be a future patchset problem.

Matt

[Buildroot] [PATCH 08/10] support/script/pkg-stats: show CPE ID in results

[Heiko Thiery]

Hi Thomas,

Am Mi., 4. Nov. 2020 um 15:52 Uhr schrieb Thomas Petazzoni
<thomas.petazzoni@bootlin.com>:
>
> From: Gregory CLEMENT <gregory.clement@bootlin.com>
>
> This commit improves the pkg-stats script to show the CPE ID of
> packages, if available. For now, it doesn't use CPE IDs to match CVEs.
>
> Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> ---
>  support/scripts/pkg-stats | 44 ++++++++++++++++++++++++++++++++++++++-
>  1 file changed, 43 insertions(+), 1 deletion(-)
>
> diff --git a/support/scripts/pkg-stats b/support/scripts/pkg-stats
> index 503cc45c16..0a48cf9581 100755
> --- a/support/scripts/pkg-stats
> +++ b/support/scripts/pkg-stats
> @@ -76,6 +76,7 @@ class Package:
>      all_license_files = list()
>      all_versions = dict()
>      all_ignored_cves = dict()
> +    all_cpeids = dict ()
>      # This is the list of all possible checks. Add new checks to this list so
>      # a tool that post-processeds the json output knows the checks before
>      # iterating over the packages.
> @@ -96,6 +97,7 @@ class Package:
>          self.current_version = None
>          self.url = None
>          self.url_worker = None
> +        self.cpeid = None
>          self.cves = list()
>          self.latest_version = {'status': RM_API_STATUS_ERROR, 'version': None, 'id': None}
>          self.status = {}
> @@ -210,6 +212,14 @@ class Package:
>          if var in self.all_versions:
>              self.current_version = self.all_versions[var]
>
> +    def set_cpeid(self):
> +        """
> +        Fills in the .cpeid field
> +        """
> +        var = self.pkgvar()
> +        if var in self.all_cpeids:
> +            self.cpeid = self.all_cpeids[var]

Maybe a status for CPE could also be set:

         Fills in the .cpeid field
         """
         var = self.pkgvar()
+
+        self.status['cpe'] = ("na", "no CPE identifier verified")
+
         if var in self.all_cpeids:
             self.cpeid = self.all_cpeids[var]
+            self.status['cpe'] = ("ok", "CPE identifier verified")



> +
>      def set_check_package_warnings(self):
>          """
>          Fills in the .warnings and .status['pkg-check'] fields
> @@ -333,7 +343,7 @@ def get_pkglist(npackages, package_list):
>  def package_init_make_info():
>      # Fetch all variables at once
>      variables = subprocess.check_output(["make", "BR2_HAVE_DOT_CONFIG=y", "-s", "printvars",
> -                                         "VARS=%_LICENSE %_LICENSE_FILES %_VERSION %_IGNORE_CVES"])
> +                                         "VARS=%_LICENSE %_LICENSE_FILES %_VERSION %_IGNORE_CVES %_CPE_ID"])
>      variable_list = variables.decode().splitlines()
>
>      # We process first the host package VERSION, and then the target
> @@ -371,6 +381,9 @@ def package_init_make_info():
>              pkgvar = pkgvar[:-12]
>              Package.all_ignored_cves[pkgvar] = value.split()
>
> +        elif pkgvar.endswith("_CPE_ID"):
> +            pkgvar = pkgvar[:-7]
> +            Package.all_cpeids[pkgvar] = value
>
>  check_url_count = 0
>
> @@ -578,6 +591,10 @@ def calculate_stats(packages):
>          stats["total-cves"] += len(pkg.cves)
>          if len(pkg.cves) != 0:
>              stats["pkg-cves"] += 1
> +        if pkg.cpeid:
> +            stats["cpe-id"] += 1
> +        else:
> +            stats["no-cpe-id"] += 1
>      return stats
>
>
> @@ -800,6 +817,19 @@ def dump_html_pkg(f, pkg):
>          f.write("   <a href=\"https://security-tracker.debian.org/tracker/%s\">%s<br/>\n" % (cve, cve))
>      f.write("  </td>\n")
>
> +    # CPE ID
> +    td_class = ["left"]
> +    if pkg.cpeid:
> +        td_class.append("correct")
> +    else:
> +        td_class.append("wrong")
> +    f.write("  <td class=\"%s\">\n" % " ".join(td_class))
> +    if pkg.cpeid:
> +        f.write("  <code>%s</code>\n" % pkg.cpeid)
> +    else:
> +        f.write("  N/A\n")
> +    f.write("  </td>\n")
> +
>      f.write(" </tr>\n")
>
>
> @@ -818,6 +848,7 @@ def dump_html_all_pkgs(f, packages):
>  <td class=\"centered\">Warnings</td>
>  <td class=\"centered\">Upstream URL</td>
>  <td class=\"centered\">CVEs</td>
> +<td class=\"centered\">CPE ID</td>
>  </tr>
>  """)
>      for pkg in sorted(packages):
> @@ -860,6 +891,10 @@ def dump_html_stats(f, stats):
>              stats["pkg-cves"])
>      f.write("<tr><td>Total number of CVEs affecting all packages</td><td>%s</td></tr>\n" %
>              stats["total-cves"])
> +    f.write("<tr><td>Packages with CPE ID</td><td>%s</td></tr>\n" %
> +            stats["cpe-id"])
> +    f.write("<tr><td>Packages without CPE ID</td><td>%s</td></tr>\n" %
> +            stats["no-cpe-id"])
>      f.write("</table>\n")
>
>
> @@ -932,11 +967,17 @@ def parse_args():
>                            help='List of packages (comma separated)')
>      parser.add_argument('--nvd-path', dest='nvd_path',
>                          help='Path to the local NVD database', type=resolvepath)
> +    parser.add_argument("--cpeid", action='store_true')
>      args = parser.parse_args()
>      if not args.html and not args.json:
>          parser.error('at least one of --html or --json (or both) is required')
>      return args
>
> +def cpeid_name(pkg):
> +    try:
> +        return pkg.cpeid.split(':')[1]
> +    except:
> +        return ''
>
>  def __main__():
>      args = parse_args()
> @@ -965,6 +1006,7 @@ def __main__():
>          pkg.set_patch_count()
>          pkg.set_check_package_warnings()
>          pkg.set_current_version()
> +        pkg.set_cpeid()
>          pkg.set_url()
>          pkg.set_developers(developers)
>      print("Checking URL status")

Tested-by: Heiko Thiery <heiko.thiery@gmail.com>

Thank you

-- 
Heiko

[Buildroot] [PATCH 08/10] support/script/pkg-stats: show CPE ID in results

[Arnout Vandecappelle]

 Hi Thomas,

On 04/11/2020 15:51, Thomas Petazzoni wrote:
> |From: Gregory CLEMENT <gregory.clement@bootlin.com> This commit improves the
> pkg-stats script to show the CPE ID of packages, if available. For now, it
> doesn't use CPE IDs to match CVEs. 

> Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>|

 This and the following two patches have received quite a few comments. However,
it's not entirely clear to me if I should mark it as Changes Requested in
patchwork, or just apply it as is...

 Regards,
 Arnout

[Buildroot] [PATCH 08/10] support/script/pkg-stats: show CPE ID in results

[Thomas Petazzoni]

On Mon, 11 Jan 2021 23:37:35 +0100
Arnout Vandecappelle <arnout@mind.be> wrote:

>  This and the following two patches have received quite a few comments. However,
> it's not entirely clear to me if I should mark it as Changes Requested in
> patchwork, or just apply it as is...

This was an older iteration, which in fact was superseded, and I have
applied the latest version of the patch series (sent December 4,
applied early January).

Best regards,

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 09/10] support/scripts/{pkg-stats, cve.py, cve-checker}: support CPE ID based matching

[Thomas Petazzoni]

This commit modifies cve.py, as well as its users cve-checker and
pkg-stats to support CPE ID based matching, for packages that have CPE
ID information.

One of the non-trivial thing is that we can't simply iterate over all
CVEs, and then iterate over all our packages to see which packages
have CPE ID information that match the CPEs affected by the
CVE. Indeed, this is an O(n^2) operation.

So instead, we do a pre-filtering of packages potentially affected. In
check_package_cves(), we build a cpe_product_pkgs dict that associates
a CPE product name to the packages that have this CPE product
name. The CPE product name is either derived from the CPE information
provided by the package if available, and otherwise we use the package
name, which is what was used prior to this patch.

And then, when we look at CVEs, we only consider the packages that
have a CPE product name matching the CPE products affected by the
CVEs. This is done in check_package_cve_affects().

Note that there is a bit of duplication of logic between cve-checker
and pkg-stats, but we intend in a follow-up series to re-unify those
two scripts.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 support/scripts/cve-checker | 24 +++++++++++++++++-----
 support/scripts/cve.py      | 41 +++++++++++++++++++++++++++++--------
 support/scripts/pkg-stats   | 25 +++++++++++++++-------
 3 files changed, 70 insertions(+), 20 deletions(-)

diff --git a/support/scripts/cve-checker b/support/scripts/cve-checker
index 421202d049..e1dfab3805 100755
--- a/support/scripts/cve-checker
+++ b/support/scripts/cve-checker
@@ -23,6 +23,7 @@ import os
 import json
 import sys
 import cve as cvecheck
+from collections import defaultdict
 
 
 class Package:
@@ -34,15 +35,28 @@ class Package:
         self.ignored_cves = ignored_cves
 
 
+def check_package_cve_affects(cve, cpe_product_pkgs):
+    for product in cve.affected_products:
+        if not product in cpe_product_pkgs:
+            continue
+        for pkg in cpe_product_pkgs[product]:
+            if cve.affects(pkg.name, pkg.version, pkg.ignored_cves, pkg.cpeid) == cve.CVE_AFFECTS:
+                pkg.cves.append(cve.identifier)
+
 def check_package_cves(nvd_path, packages):
     if not os.path.isdir(nvd_path):
         os.makedirs(nvd_path)
 
+    cpe_product_pkgs = defaultdict(list)
+    for pkg in packages:
+        if pkg.cpeid:
+            cpe_product = cvecheck.cpe_product(pkg.cpeid)
+            cpe_product_pkgs[cpe_product].append(pkg)
+        else:
+            cpe_product_pkgs[pkg.name].append(pkg)
+
     for cve in cvecheck.CVE.read_nvd_dir(nvd_path):
-        for pkg_name in cve.pkg_names:
-            pkg = packages.get(pkg_name, '')
-            if pkg and cve.affects(pkg.name, pkg.version, pkg.ignored_cves) == cve.CVE_AFFECTS:
-                pkg.cves.append(cve.identifier)
+        check_package_cve_affects(cve, cpe_product_pkgs)
 
 
 html_header = """
@@ -199,7 +213,7 @@ def __main__():
     date = datetime.datetime.utcnow()
 
     print("Checking packages CVEs")
-    check_package_cves(args.nvd_path, {p.name: p for p in packages})
+    check_package_cves(args.nvd_path, packages)
 
     if args.html:
         print("Write HTML")
diff --git a/support/scripts/cve.py b/support/scripts/cve.py
index e7472cd470..6e97ea193f 100755
--- a/support/scripts/cve.py
+++ b/support/scripts/cve.py
@@ -47,6 +47,24 @@ ops = {
 }
 
 
+# Check if two CPE IDs match each other
+def cpe_matches(cpe1, cpe2):
+    cpe1_elems = cpe1.split(":")
+    cpe2_elems = cpe2.split(":")
+
+    remains = filter(lambda x: x[0] not in ["*", "-"] and x[1] not in ["*", "-"] and x[0] != x[1],
+                     zip(cpe1_elems, cpe2_elems))
+    return len(list(remains)) == 0
+
+
+def cpe_product(cpe):
+    return cpe.split(':')[4]
+
+
+def cpe_version(cpe):
+    return cpe.split(':')[5]
+
+
 class CVE:
     """An accessor class for CVE Items in NVD files"""
     CVE_AFFECTS = 1
@@ -134,7 +152,11 @@ class CVE:
         for cpe in node.get('cpe_match', ()):
             if not cpe['vulnerable']:
                 return
-            vendor, product, version = cpe['cpe23Uri'].split(':')[3:6]
+            product = cpe_product(cpe['cpe23Uri'])
+            version = cpe_version(cpe['cpe23Uri'])
+            # ignore when product is '-', which means N/A
+            if product == '-':
+                return
             op_start = ''
             op_end = ''
             v_start = ''
@@ -163,8 +185,7 @@ class CVE:
                     v_end = cpe['versionEndExcluding']
 
             yield {
-                'vendor': vendor,
-                'product': product,
+                'id': cpe['cpe23Uri'],
                 'v_start': v_start,
                 'op_start': op_start,
                 'v_end': v_end,
@@ -182,11 +203,11 @@ class CVE:
         return self.nvd_cve['cve']['CVE_data_meta']['ID']
 
     @property
-    def pkg_names(self):
-        """The set of package names referred by this CVE definition"""
-        return set(p['product'] for p in self.each_cpe())
+    def affected_products(self):
+        """The set of CPE products referred by this CVE definition"""
+        return set(cpe_product(p['id']) for p in self.each_cpe())
 
-    def affects(self, name, version, cve_ignore_list):
+    def affects(self, name, version, cve_ignore_list, cpeid=None):
         """
         True if the Buildroot Package object passed as argument is affected
         by this CVE.
@@ -199,8 +220,12 @@ class CVE:
             print("Cannot parse package '%s' version '%s'" % (name, version))
             pkg_version = None
 
+        # if we don't have a cpeid, build one based on name and version
+        if not cpeid:
+            cpeid = "cpe:2.3:*:*:%s:%s:*:*:*:*:*:*:*" % (name, version)
+
         for cpe in self.each_cpe():
-            if cpe['product'] != name:
+            if not cpe_matches(cpe['id'], cpeid):
                 continue
             if not cpe['v_start'] and not cpe['v_end']:
                 return self.CVE_AFFECTS
diff --git a/support/scripts/pkg-stats b/support/scripts/pkg-stats
index 0a48cf9581..f357cbe1b6 100755
--- a/support/scripts/pkg-stats
+++ b/support/scripts/pkg-stats
@@ -540,17 +540,28 @@ async def check_package_latest_version(packages):
         await asyncio.wait(tasks)
 
 
+def check_package_cve_affects(cve, cpe_product_pkgs):
+    for product in cve.affected_products:
+        if not product in cpe_product_pkgs:
+            continue
+        for pkg in cpe_product_pkgs[product]:
+            if cve.affects(pkg.name, pkg.current_version, pkg.ignored_cves, pkg.cpeid) == cve.CVE_AFFECTS:
+                pkg.cves.append(cve.identifier)
+
 def check_package_cves(nvd_path, packages):
     if not os.path.isdir(nvd_path):
         os.makedirs(nvd_path)
 
-    for cve in cvecheck.CVE.read_nvd_dir(nvd_path):
-        for pkg_name in cve.pkg_names:
-            if pkg_name in packages:
-                pkg = packages[pkg_name]
-                if cve.affects(pkg.name, pkg.current_version, pkg.ignored_cves) == cve.CVE_AFFECTS:
-                    pkg.cves.append(cve.identifier)
+    cpe_product_pkgs = defaultdict(list)
+    for pkg in packages:
+        if pkg.cpeid:
+            cpe_product = cvecheck.cpe_product(pkg.cpeid)
+            cpe_product_pkgs[cpe_product].append(pkg)
+        else:
+            cpe_product_pkgs[pkg.name].append(pkg)
 
+    for cve in cvecheck.CVE.read_nvd_dir(nvd_path):
+        check_package_cve_affects(cve, cpe_product_pkgs)
 
 def calculate_stats(packages):
     stats = defaultdict(int)
@@ -1017,7 +1028,7 @@ def __main__():
     loop.run_until_complete(check_package_latest_version(packages))
     if args.nvd_path:
         print("Checking packages CVEs")
-        check_package_cves(args.nvd_path, {p.name: p for p in packages})
+        check_package_cves(args.nvd_path, packages)
     print("Calculate stats")
     stats = calculate_stats(packages)
     if args.html:
-- 
2.26.2

[Buildroot] [PATCH 09/10] support/scripts/{pkg-stats, cve.py, cve-checker}: support CPE ID based matching

[Matthew Weber]

Thomas / Greg,

On Wed, Nov 4, 2020 at 8:52 AM Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
>
> This commit modifies cve.py, as well as its users cve-checker and
> pkg-stats to support CPE ID based matching, for packages that have CPE
> ID information.
>
> One of the non-trivial thing is that we can't simply iterate over all
> CVEs, and then iterate over all our packages to see which packages
> have CPE ID information that match the CPEs affected by the
> CVE. Indeed, this is an O(n^2) operation.
>
> So instead, we do a pre-filtering of packages potentially affected. In
> check_package_cves(), we build a cpe_product_pkgs dict that associates
> a CPE product name to the packages that have this CPE product
> name. The CPE product name is either derived from the CPE information
> provided by the package if available, and otherwise we use the package
> name, which is what was used prior to this patch.
>
> And then, when we look at CVEs, we only consider the packages that
> have a CPE product name matching the CPE products affected by the
> CVEs. This is done in check_package_cve_affects().
>
> Note that there is a bit of duplication of logic between cve-checker
> and pkg-stats, but we intend in a follow-up series to re-unify those
> two scripts.
>
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> ---
>  support/scripts/cve-checker | 24 +++++++++++++++++-----
>  support/scripts/cve.py      | 41 +++++++++++++++++++++++++++++--------
>  support/scripts/pkg-stats   | 25 +++++++++++++++-------
>  3 files changed, 70 insertions(+), 20 deletions(-)
>
> diff --git a/support/scripts/cve-checker b/support/scripts/cve-checker
> index 421202d049..e1dfab3805 100755
> --- a/support/scripts/cve-checker
> +++ b/support/scripts/cve-checker

I noticed this tool isn't described in the manual with at least an
example invocation noting why the nvd folder is being cached and the
piping of show-info output, etc.

Basic test config:

BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.16.7"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/aarch64-virt/linux.config"
BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL=y
BR2_PACKAGE_LIBSODIUM=y
BR2_PACKAGE_LIBSSH=y
BR2_PACKAGE_LIBSSH2=y
BR2_PACKAGE_MBEDTLS=y
BR2_PACKAGE_OPENSSL=y
BR2_TARGET_ROOTFS_EXT2=y
# BR2_TARGET_ROOTFS_TAR is not set

make show-info | support/scripts/cve-checker --html cve.html
--nvd-path ~/nvd_dl/

Result:  https://pastebin.ubuntu.com/p/H4hZzxgsCZ/

[snip]

> diff --git a/support/scripts/pkg-stats b/support/scripts/pkg-stats
> index 0a48cf9581..f357cbe1b6 100755
> --- a/support/scripts/pkg-stats
> +++ b/support/scripts/pkg-stats

support/scripts/pkg-stats --html cve.html -p linux --nvd-path ~/nvd_dl --cpeid

Results:  https://pastebin.ubuntu.com/p/RKF3F4bCcG/

Tested-by: Matt Weber <matthew.weber@rockwellcollins.com>

[Buildroot] [PATCH 09/10] support/scripts/{pkg-stats, cve.py, cve-checker}: support CPE ID based matching

[Peter Korsgaard]

>>>>> "Matthew" == Matthew Weber <matthew.weber@rockwellcollins.com> writes:

 > Thomas / Greg,
 >> diff --git a/support/scripts/cve-checker b/support/scripts/cve-checker
 >> index 421202d049..e1dfab3805 100755
 >> --- a/support/scripts/cve-checker
 >> +++ b/support/scripts/cve-checker

 > I noticed this tool isn't described in the manual with at least an
 > example invocation noting why the nvd folder is being cached and the
 > piping of show-info output, etc.

Yes, I noticed that as well while updating CHANGES for 2020.11-rc1. It
also reads stdin before handling the command line arguments, so you
cannot just run ./support/scripts/cve-checker --help to get usage info
:/

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH 09/10] support/scripts/{pkg-stats, cve.py, cve-checker}: support CPE ID based matching

[Thomas Petazzoni]

On Thu, 05 Nov 2020 09:46:38 +0100
Peter Korsgaard <peter@korsgaard.com> wrote:

> Yes, I noticed that as well while updating CHANGES for 2020.11-rc1. It
> also reads stdin before handling the command line arguments, so you
> cannot just run ./support/scripts/cve-checker --help to get usage info
> :/

See patch 02/10 in this series, which fixes precisely this.

However, I am about to send a patch series that drops cve-checker
entirely, by making pkg-stats provide the same functionality.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 09/10] support/scripts/{pkg-stats, cve.py, cve-checker}: support CPE ID based matching

[Gregory CLEMENT]

Hello Thomas,

> -    def affects(self, name, version, cve_ignore_list):
> +    def affects(self, name, version, cve_ignore_list, cpeid=None):
>          """
>          True if the Buildroot Package object passed as argument is affected
>          by this CVE.
> @@ -199,8 +220,12 @@ class CVE:
>              print("Cannot parse package '%s' version '%s'" % (name, version))
>              pkg_version = None
>  
> +        # if we don't have a cpeid, build one based on name and version
> +        if not cpeid:
> +            cpeid = "cpe:2.3:*:*:%s:%s:*:*:*:*:*:*:*" % (name, version)
> +
>          for cpe in self.each_cpe():
> -            if cpe['product'] != name:
> +            if not cpe_matches(cpe['id'], cpeid):
>                  continue

Here you compare the full cpeid including the version to the cpeid
associated to the CVE. But if the CVE is about a range of version (using
versionStartIncluding for instance), then this test may file was
actually the package would be affected because the version is inside the
range of version affected.

Or maybe I missed something in this case could you point me where I am
wrong ?

Gregory

>              if not cpe['v_start'] and not cpe['v_end']:
>                  return self.CVE_AFFECTS
> diff --git a/support/scripts/pkg-stats b/support/scripts/pkg-stats
> index 0a48cf9581..f357cbe1b6 100755

-- 
Gregory Clement, Bootlin
Embedded Linux and Kernel engineering
http://bootlin.com

[Buildroot] [PATCH 09/10] support/scripts/{pkg-stats, cve.py, cve-checker}: support CPE ID based matching

[Thomas Petazzoni]

On Thu, 05 Nov 2020 15:55:56 +0100
Gregory CLEMENT <gregory.clement@bootlin.com> wrote:

> > +        # if we don't have a cpeid, build one based on name and version
> > +        if not cpeid:
> > +            cpeid = "cpe:2.3:*:*:%s:%s:*:*:*:*:*:*:*" % (name, version)
> > +
> >          for cpe in self.each_cpe():
> > -            if cpe['product'] != name:
> > +            if not cpe_matches(cpe['id'], cpeid):
> >                  continue  
> 
> Here you compare the full cpeid including the version to the cpeid
> associated to the CVE. But if the CVE is about a range of version (using
> versionStartIncluding for instance), then this test may file was
> actually the package would be affected because the version is inside the
> range of version affected.

So, a package will have a CPE ID like this:

  cpe:2.3:a:vendor:product:1.0.4:*:*:*:*:*:*:*

Then, a CVE will have two cases:

 - Either it has a CPE ID that includes directly a version, like:

   cpe:2.3:a:vendor:product:1.0.3:*:*:*:*:*:*:*

   In this case, the cpe_matches() function will return False, because
   indeed 1.0.3 isn't the same as 1.0.4

 - Or it has a CPE ID that does *NOT* include a version, because the
   version is specified separately through versionStartIncluding and
   similar properties. In this case, the CPE ID of the CVE will look
   like this:

   cpe:2.3:a:vendor:product:*:*:*:*:*:*:*:*

   Notice how the "version" field is "*". The cpe_matches() function
   handles "*" as a wildcard, and will allow it to match any value. So
   "*" matches "1.0.4", which means in this situation, cpe_matches()
   will return True, so the code logic will continue, and test if we're
   in the version range or not.

The code goes like this:

            if not cpe_matches(cpe['id'], cpeid):
                # The CPE doesn't match, so skip
                continue

            if not cpe['v_start'] and not cpe['v_end']:
                # The CPE matches *and* we don't have a version range, so we know the CVE affects us
                return self.CVE_AFFECTS

            if not pkg_version:
                # The version of the package couldn't be parsed, so we're not able to compare it
                # with distutils.version.LooseVersion(), so skip
                continue

            # and then here we handle the version range (code was not changed)

Does this explain how it works ? Let me know if you still see an issue,
because I could also be missing something.

Note: I checked the JSON output of pkg-stats before and after this
commit, and it is identical.

Best regards,

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 09/10] support/scripts/{pkg-stats, cve.py, cve-checker}: support CPE ID based matching

[Gregory CLEMENT]

Hi Thomas,

> On Thu, 05 Nov 2020 15:55:56 +0100
> Gregory CLEMENT <gregory.clement@bootlin.com> wrote:
>
>> > +        # if we don't have a cpeid, build one based on name and version
>> > +        if not cpeid:
>> > +            cpeid = "cpe:2.3:*:*:%s:%s:*:*:*:*:*:*:*" % (name, version)
>> > +
>> >          for cpe in self.each_cpe():
>> > -            if cpe['product'] != name:
>> > +            if not cpe_matches(cpe['id'], cpeid):
>> >                  continue  
>> 
>> Here you compare the full cpeid including the version to the cpeid
>> associated to the CVE. But if the CVE is about a range of version (using
>> versionStartIncluding for instance), then this test may file was
>> actually the package would be affected because the version is inside the
>> range of version affected.
>
> So, a package will have a CPE ID like this:
>
>   cpe:2.3:a:vendor:product:1.0.4:*:*:*:*:*:*:*
>
> Then, a CVE will have two cases:
>
>  - Either it has a CPE ID that includes directly a version, like:
>
>    cpe:2.3:a:vendor:product:1.0.3:*:*:*:*:*:*:*
>
>    In this case, the cpe_matches() function will return False, because
>    indeed 1.0.3 isn't the same as 1.0.4
>
>  - Or it has a CPE ID that does *NOT* include a version, because the
>    version is specified separately through versionStartIncluding and
>    similar properties. In this case, the CPE ID of the CVE will look
>    like this:
>
>    cpe:2.3:a:vendor:product:*:*:*:*:*:*:*:*
>
>    Notice how the "version" field is "*". The cpe_matches() function
>    handles "*" as a wildcard, and will allow it to match any value. So
>    "*" matches "1.0.4", which means in this situation, cpe_matches()
>    will return True, so the code logic will continue, and test if we're
>    in the version range or not.
>
> The code goes like this:
>
>             if not cpe_matches(cpe['id'], cpeid):
>                 # The CPE doesn't match, so skip
>                 continue
>
>             if not cpe['v_start'] and not cpe['v_end']:
>                 # The CPE matches *and* we don't have a version range, so we know the CVE affects us
>                 return self.CVE_AFFECTS
>
>             if not pkg_version:
>                 # The version of the package couldn't be parsed, so we're not able to compare it
>                 # with distutils.version.LooseVersion(), so skip
>                 continue
>
>             # and then here we handle the version range (code was not changed)
>
> Does this explain how it works ? Let me know if you still see an issue,
> because I could also be missing something.

Yes it makes sens now. The key point is that when using the keywords
like versionStartIncluding, then the CPE ID referenced in database will
use wildcard for the version. I overlooked this.

Thanks for the explanation.

Gregory

>
> Note: I checked the JSON output of pkg-stats before and after this
> commit, and it is identical.
>
> Best regards,
>
> Thomas
> -- 
> Thomas Petazzoni, CTO, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com

-- 
Gregory Clement, Bootlin
Embedded Linux and Kernel engineering
http://bootlin.com

[Buildroot] [PATCH 10/10] package: provide CPE ID details for numerous packages

[Thomas Petazzoni]

From: Matt Weber <matthew.weber@rockwellcollins.com>

This patch adds CPE ID information for a significant number of
packages.

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 boot/grub2/grub2.mk                                   |  1 +
 boot/uboot/uboot.mk                                   |  2 ++
 linux/linux.mk                                        |  2 ++
 package/audit/audit.mk                                |  2 ++
 package/aufs/aufs.mk                                  |  1 +
 package/bash/bash.mk                                  |  1 +
 package/bc/bc.mk                                      |  1 +
 package/bind/bind.mk                                  |  1 +
 package/boost/boost.mk                                |  1 +
 package/bridge-utils/bridge-utils.mk                  |  1 +
 package/busybox/busybox.mk                            |  1 +
 package/bzip2/bzip2.mk                                |  1 +
 package/clang/clang.mk                                |  1 +
 package/collectd/collectd.mk                          |  1 +
 package/conntrack-tools/conntrack-tools.mk            |  1 +
 package/coreutils/coreutils.mk                        |  1 +
 package/crda/crda.mk                                  |  1 +
 package/davici/davici.mk                              |  1 +
 package/dbus-glib/dbus-glib.mk                        |  1 +
 package/dbus/dbus.mk                                  |  2 ++
 package/dhcp/dhcp.mk                                  |  1 +
 package/dnsmasq/dnsmasq.mk                            |  1 +
 package/dropbear/dropbear.mk                          |  2 ++
 package/ebtables/ebtables.mk                          |  1 +
 package/ethtool/ethtool.mk                            |  1 +
 package/expat/expat.mk                                |  1 +
 package/gdb/gdb.mk                                    |  1 +
 package/gesftpserver/gesftpserver.mk                  |  2 ++
 package/glibc/glibc.mk                                |  1 +
 package/gmp/gmp.mk                                    |  1 +
 package/gnupg/gnupg.mk                                |  1 +
 package/gnutls/gnutls.mk                              |  1 +
 package/grep/grep.mk                                  |  1 +
 package/gtest/gtest.mk                                |  2 ++
 package/gzip/gzip.mk                                  |  1 +
 package/hostapd/hostapd.mk                            |  1 +
 package/ifupdown/ifupdown.mk                          |  1 +
 package/iperf/iperf.mk                                |  2 ++
 package/iperf3/iperf3.mk                              |  1 +
 package/ipset/ipset.mk                                |  1 +
 package/iptables/iptables.mk                          |  1 +
 package/iw/iw.mk                                      |  1 +
 package/kmod/kmod.mk                                  |  2 ++
 package/libarchive/libarchive.mk                      |  1 +
 package/libcurl/libcurl.mk                            |  2 ++
 package/libestr/libestr.mk                            |  1 +
 package/libfastjson/libfastjson.mk                    |  1 +
 package/libfcgi/libfcgi.mk                            |  2 ++
 package/libffi/libffi.mk                              |  2 ++
 package/libgcrypt/libgcrypt.mk                        |  1 +
 package/libglib2/libglib2.mk                          |  2 ++
 package/libgpg-error/libgpg-error.mk                  |  1 +
 package/liblogging/liblogging.mk                      |  1 +
 package/libmbim/libmbim.mk                            |  1 +
 package/libmnl/libmnl.mk                              |  1 +
 .../libnetfilter_conntrack/libnetfilter_conntrack.mk  |  1 +
 .../libnetfilter_cthelper/libnetfilter_cthelper.mk    |  1 +
 .../libnetfilter_cttimeout/libnetfilter_cttimeout.mk  |  1 +
 package/libnetfilter_queue/libnetfilter_queue.mk      |  1 +
 package/libnfnetlink/libnfnetlink.mk                  |  1 +
 package/libopenssl/Config.in                          | 11 +++++++++++
 package/libopenssl/libopenssl.mk                      |  2 ++
 package/libpcap/libpcap.mk                            |  1 +
 package/libselinux/libselinux.mk                      |  1 +
 package/libsemanage/libsemanage.mk                    |  1 +
 package/libsepol/libsepol.mk                          |  1 +
 package/libssh2/libssh2.mk                            |  1 +
 package/libsysfs/libsysfs.mk                          |  2 ++
 package/libtasn1/libtasn1.mk                          |  1 +
 package/libunistring/libunistring.mk                  |  1 +
 package/libxml2/libxml2.mk                            |  1 +
 package/libxslt/libxslt.mk                            |  1 +
 package/libzlib/libzlib.mk                            |  2 ++
 package/lighttpd/lighttpd.mk                          |  1 +
 package/linux-firmware/linux-firmware.mk              |  2 ++
 package/linux-headers/linux-headers.mk                |  2 ++
 package/linux-pam/linux-pam.mk                        |  2 ++
 package/llvm/llvm.mk                                  |  1 +
 package/lxc/lxc.mk                                    |  1 +
 package/lz4/lz4.mk                                    |  1 +
 package/memtester/memtester.mk                        |  1 +
 package/mii-diag/mii-diag.mk                          |  1 +
 package/mpfr/mpfr.mk                                  |  1 +
 package/mrouted/mrouted.mk                            |  1 +
 package/mtd/mtd.mk                                    |  2 ++
 package/ncurses/ncurses.mk                            |  1 +
 package/netsnmp/netsnmp.mk                            |  2 ++
 package/nfs-utils/nfs-utils.mk                        |  2 ++
 package/openssh/openssh.mk                            |  3 +++
 package/pax-utils/pax-utils.mk                        |  1 +
 package/paxtest/paxtest.mk                            |  1 +
 package/pcre/pcre.mk                                  |  1 +
 package/pixman/pixman.mk                              |  1 +
 package/policycoreutils/policycoreutils.mk            |  1 +
 package/pppd/pppd.mk                                  |  2 ++
 package/proftpd/proftpd.mk                            |  1 +
 package/protobuf/protobuf.mk                          |  1 +
 package/pure-ftpd/pure-ftpd.mk                        |  1 +
 package/python-lxml/python-lxml.mk                    |  2 ++
 package/python-setuptools/python-setuptools.mk        |  2 ++
 package/python/python.mk                              |  1 +
 package/qemu/qemu.mk                                  |  1 +
 package/rapidjson/rapidjson.mk                        |  1 +
 package/readline/readline.mk                          |  1 +
 package/refpolicy/refpolicy.mk                        |  1 +
 package/rsyslog/rsyslog.mk                            |  1 +
 package/rt-tests/rt-tests.mk                          |  1 +
 package/sed/sed.mk                                    |  1 +
 package/setools/setools.mk                            |  1 +
 package/setserial/setserial.mk                        |  1 +
 package/smcroute/smcroute.mk                          |  1 +
 package/spawn-fcgi/spawn-fcgi.mk                      |  1 +
 package/sqlite/sqlite.mk                              |  2 ++
 package/strongswan/strongswan.mk                      |  1 +
 package/tar/tar.mk                                    |  1 +
 package/tcl/tcl.mk                                    |  1 +
 package/tcpdump/tcpdump.mk                            |  1 +
 package/tftpd/tftpd.mk                                |  2 ++
 package/uboot-tools/uboot-tools.mk                    |  2 ++
 package/util-linux/util-linux.mk                      |  1 +
 package/valgrind/valgrind.mk                          |  1 +
 package/vim/vim.mk                                    |  1 +
 package/wget/wget.mk                                  |  1 +
 package/wireless-regdb/wireless-regdb.mk              |  1 +
 package/wireless_tools/wireless_tools.mk              |  2 ++
 package/wpa_supplicant/wpa_supplicant.mk              |  1 +
 package/xerces/xerces.mk                              |  2 ++
 package/xz/xz.mk                                      |  1 +
 128 files changed, 170 insertions(+)

diff --git a/boot/grub2/grub2.mk b/boot/grub2/grub2.mk
index 5fca2315ee..9686815f4d 100644
--- a/boot/grub2/grub2.mk
+++ b/boot/grub2/grub2.mk
@@ -37,6 +37,7 @@ GRUB2_INSTALL_TARGET = YES
 else
 GRUB2_INSTALL_TARGET = NO
 endif
+GRUB2_CPE_ID_VENDOR = gnu
 
 GRUB2_BUILTIN_MODULES = $(call qstrip,$(BR2_TARGET_GRUB2_BUILTIN_MODULES))
 GRUB2_BUILTIN_CONFIG = $(call qstrip,$(BR2_TARGET_GRUB2_BUILTIN_CONFIG))
diff --git a/boot/uboot/uboot.mk b/boot/uboot/uboot.mk
index 72d5df412d..2028fb1167 100644
--- a/boot/uboot/uboot.mk
+++ b/boot/uboot/uboot.mk
@@ -11,6 +11,8 @@ UBOOT_LICENSE = GPL-2.0+
 ifeq ($(BR2_TARGET_UBOOT_LATEST_VERSION),y)
 UBOOT_LICENSE_FILES = Licenses/gpl-2.0.txt
 endif
+UBOOT_CPE_ID_VENDOR = denx
+UBOOT_CPE_ID_NAME = u-boot
 
 UBOOT_INSTALL_IMAGES = YES
 
diff --git a/linux/linux.mk b/linux/linux.mk
index e07e014d1e..648f6ea2a5 100644
--- a/linux/linux.mk
+++ b/linux/linux.mk
@@ -12,6 +12,8 @@ LINUX_LICENSE_FILES = \
 	LICENSES/preferred/GPL-2.0 \
 	LICENSES/exceptions/Linux-syscall-note
 endif
+LINUX_CPE_ID_VENDOR = $(LINUX_NAME)
+LINUX_CPE_ID_NAME = $(LINUX_NAME)_kernel
 
 define LINUX_HELP_CMDS
 	@echo '  linux-menuconfig       - Run Linux kernel menuconfig'
diff --git a/package/audit/audit.mk b/package/audit/audit.mk
index 652e0fcd56..a20767d24b 100644
--- a/package/audit/audit.mk
+++ b/package/audit/audit.mk
@@ -10,6 +10,8 @@ AUDIT_LICENSE = GPL-2.0+ (programs), LGPL-2.1+ (libraries)
 AUDIT_LICENSE_FILES = COPYING COPYING.LIB
 # 0002-Add-substitue-functions-for-strndupa-rawmemchr.patch
 AUDIT_AUTORECONF = YES
+AUDIT_CPE_ID_VENDOR = linux_audit_project
+AUDIT_CPE_ID_NAME = linux_audit
 
 AUDIT_INSTALL_STAGING = YES
 
diff --git a/package/aufs/aufs.mk b/package/aufs/aufs.mk
index 4e95a350a0..495e94e606 100644
--- a/package/aufs/aufs.mk
+++ b/package/aufs/aufs.mk
@@ -7,6 +7,7 @@
 AUFS_VERSION = $(call qstrip,$(BR2_PACKAGE_AUFS_VERSION))
 AUFS_LICENSE = GPL-2.0
 AUFS_LICENSE_FILES = COPYING
+AUFS_CPE_ID_VERSION = 4.1
 
 ifeq ($(BR2_PACKAGE_AUFS_SERIES),3)
 AUFS_SITE = http://git.code.sf.net/p/aufs/aufs3-standalone
diff --git a/package/bash/bash.mk b/package/bash/bash.mk
index 1843862e49..b4681c1085 100644
--- a/package/bash/bash.mk
+++ b/package/bash/bash.mk
@@ -10,6 +10,7 @@ BASH_DEPENDENCIES = ncurses readline host-bison
 BASH_CONF_OPTS = --with-installed-readline --without-bash-malloc
 BASH_LICENSE = GPL-3.0+
 BASH_LICENSE_FILES = COPYING
+BASH_CPE_ID_VENDOR = gnu
 
 BASH_CONF_ENV += \
 	ac_cv_rl_prefix="$(STAGING_DIR)" \
diff --git a/package/bc/bc.mk b/package/bc/bc.mk
index fdfacb6c89..06b6feae4f 100644
--- a/package/bc/bc.mk
+++ b/package/bc/bc.mk
@@ -9,6 +9,7 @@ BC_SITE = http://ftp.gnu.org/gnu/bc
 BC_DEPENDENCIES = host-flex
 BC_LICENSE = GPL-2.0+, LGPL-2.1+
 BC_LICENSE_FILES = COPYING COPYING.LIB
+BC_CPE_ID_VENDOR = gnu
 BC_CONF_ENV = MAKEINFO=true
 
 # 0001-bc-use-MAKEINFO-variable-for-docs.patch and 0004-no-gen-libmath.patch
diff --git a/package/bind/bind.mk b/package/bind/bind.mk
index 18fc4845f9..41b3146da1 100644
--- a/package/bind/bind.mk
+++ b/package/bind/bind.mk
@@ -12,6 +12,7 @@ BIND_INSTALL_STAGING = YES
 BIND_CONFIG_SCRIPTS = bind9-config isc-config.sh
 BIND_LICENSE = MPL-2.0
 BIND_LICENSE_FILES = COPYRIGHT
+BIND_CPE_ID_VENDOR = isc
 BIND_TARGET_SERVER_SBIN = arpaname ddns-confgen dnssec-checkds dnssec-coverage
 BIND_TARGET_SERVER_SBIN += dnssec-importkey dnssec-keygen dnssec-revoke
 BIND_TARGET_SERVER_SBIN += dnssec-settime dnssec-verify genrandom
diff --git a/package/boost/boost.mk b/package/boost/boost.mk
index 82fe42d6b2..d5c404a13c 100644
--- a/package/boost/boost.mk
+++ b/package/boost/boost.mk
@@ -10,6 +10,7 @@ BOOST_SITE = https://dl.bintray.com/boostorg/release/$(BOOST_VERSION)/source
 BOOST_INSTALL_STAGING = YES
 BOOST_LICENSE = BSL-1.0
 BOOST_LICENSE_FILES = LICENSE_1_0.txt
+BOOST_CPE_ID_VENDOR = $(BOOST_NAME)
 
 # CVE-2009-3654 is misclassified (by our CVE tracker) as affecting to boost,
 # while in fact it affects Drupal (a module called boost in there).
diff --git a/package/bridge-utils/bridge-utils.mk b/package/bridge-utils/bridge-utils.mk
index 9d63b3ef30..fa71c3a64e 100644
--- a/package/bridge-utils/bridge-utils.mk
+++ b/package/bridge-utils/bridge-utils.mk
@@ -10,6 +10,7 @@ BRIDGE_UTILS_SITE = \
 BRIDGE_UTILS_AUTORECONF = YES
 BRIDGE_UTILS_LICENSE = GPL-2.0+
 BRIDGE_UTILS_LICENSE_FILES = COPYING
+BRIDGE_UTILS_CPE_ID_VENDOR = kernel
 
 # Avoid using the host's headers. Location is not important as
 # required headers will anyway be found from within the sysroot.
diff --git a/package/busybox/busybox.mk b/package/busybox/busybox.mk
index 8c8303a358..38c40eeb15 100644
--- a/package/busybox/busybox.mk
+++ b/package/busybox/busybox.mk
@@ -9,6 +9,7 @@ BUSYBOX_SITE = http://www.busybox.net/downloads
 BUSYBOX_SOURCE = busybox-$(BUSYBOX_VERSION).tar.bz2
 BUSYBOX_LICENSE = GPL-2.0, bzip2-1.0.4
 BUSYBOX_LICENSE_FILES = LICENSE archival/libarchive/bz/LICENSE
+BUSYBOX_CPE_ID_VENDOR = $(BUSYBOX_NAME)
 
 define BUSYBOX_HELP_CMDS
 	@echo '  busybox-menuconfig     - Run BusyBox menuconfig'
diff --git a/package/bzip2/bzip2.mk b/package/bzip2/bzip2.mk
index b4d8eea25e..c2e5f7610e 100644
--- a/package/bzip2/bzip2.mk
+++ b/package/bzip2/bzip2.mk
@@ -9,6 +9,7 @@ BZIP2_SITE = https://sourceware.org/pub/bzip2
 BZIP2_INSTALL_STAGING = YES
 BZIP2_LICENSE = bzip2 license
 BZIP2_LICENSE_FILES = LICENSE
+BZIP2_CPE_ID_VENDOR = bzip
 
 ifeq ($(BR2_STATIC_LIBS),)
 define BZIP2_BUILD_SHARED_CMDS
diff --git a/package/clang/clang.mk b/package/clang/clang.mk
index ceb7de9afa..bf1a362ccf 100644
--- a/package/clang/clang.mk
+++ b/package/clang/clang.mk
@@ -10,6 +10,7 @@ CLANG_SITE = https://github.com/llvm/llvm-project/releases/download/llvmorg-$(CL
 CLANG_SOURCE = clang-$(CLANG_VERSION).src.tar.xz
 CLANG_LICENSE = Apache-2.0 with exceptions
 CLANG_LICENSE_FILES = LICENSE.TXT
+CLANG_CVE_ID_VENDOR = llvm
 CLANG_SUPPORTS_IN_SOURCE_BUILD = NO
 CLANG_INSTALL_STAGING = YES
 
diff --git a/package/collectd/collectd.mk b/package/collectd/collectd.mk
index 00e33f27df..83bf01109a 100644
--- a/package/collectd/collectd.mk
+++ b/package/collectd/collectd.mk
@@ -12,6 +12,7 @@ COLLECTD_CONF_ENV = ac_cv_lib_yajl_yajl_alloc=yes
 COLLECTD_INSTALL_STAGING = YES
 COLLECTD_LICENSE = MIT (daemon, plugins), GPL-2.0 (plugins), LGPL-2.1 (plugins)
 COLLECTD_LICENSE_FILES = COPYING
+COLLECTD_CPE_ID_VENDOR = $(COLLECTD_NAME)
 
 # These require unmet dependencies, are fringe, pointless or deprecated
 COLLECTD_PLUGINS_DISABLE = \
diff --git a/package/conntrack-tools/conntrack-tools.mk b/package/conntrack-tools/conntrack-tools.mk
index 145b6d785f..55ea407924 100644
--- a/package/conntrack-tools/conntrack-tools.mk
+++ b/package/conntrack-tools/conntrack-tools.mk
@@ -12,6 +12,7 @@ CONNTRACK_TOOLS_DEPENDENCIES = host-pkgconf \
 	libnetfilter_queue host-bison host-flex
 CONNTRACK_TOOLS_LICENSE = GPL-2.0+
 CONNTRACK_TOOLS_LICENSE_FILES = COPYING
+CONNTRACK_TOOLS_CPE_ID_VENDOR = netfilter
 
 CONNTRACK_TOOLS_CFLAGS = $(TARGET_CFLAGS)
 
diff --git a/package/coreutils/coreutils.mk b/package/coreutils/coreutils.mk
index 3866b76243..18e9052dfd 100644
--- a/package/coreutils/coreutils.mk
+++ b/package/coreutils/coreutils.mk
@@ -9,6 +9,7 @@ COREUTILS_SITE = $(BR2_GNU_MIRROR)/coreutils
 COREUTILS_SOURCE = coreutils-$(COREUTILS_VERSION).tar.xz
 COREUTILS_LICENSE = GPL-3.0+
 COREUTILS_LICENSE_FILES = COPYING
+COREUTILS_CPE_ID_VENDOR = gnu
 
 COREUTILS_CONF_OPTS = --disable-rpath \
 	$(if $(BR2_TOOLCHAIN_USES_MUSL),--with-included-regex)
diff --git a/package/crda/crda.mk b/package/crda/crda.mk
index c5880797be..31a64d004b 100644
--- a/package/crda/crda.mk
+++ b/package/crda/crda.mk
@@ -9,6 +9,7 @@ CRDA_SITE = https://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/crda.git/snap
 CRDA_DEPENDENCIES = host-pkgconf host-python-pycryptodomex libnl libgcrypt
 CRDA_LICENSE = ISC
 CRDA_LICENSE_FILES = LICENSE
+CRDA_CPE_ID_VENDOR = kernel
 
 define CRDA_BUILD_CMDS
 	$(TARGET_CONFIGURE_OPTS) \
diff --git a/package/davici/davici.mk b/package/davici/davici.mk
index 5c08bbe0da..6c8df48b6a 100644
--- a/package/davici/davici.mk
+++ b/package/davici/davici.mk
@@ -8,6 +8,7 @@ DAVICI_VERSION = 1.3
 DAVICI_SITE = $(call github,strongswan,davici,v$(DAVICI_VERSION))
 DAVICI_LICENSE = LGPL-2.1+
 DAVICI_LICENSE_FILES = COPYING
+DAVICI_CPE_ID_VENDOR = strongswan
 DAVICI_DEPENDENCIES = strongswan
 DAVICI_INSTALL_STAGING = YES
 DAVICI_AUTORECONF = YES
diff --git a/package/dbus-glib/dbus-glib.mk b/package/dbus-glib/dbus-glib.mk
index 372942e1c3..5eb158d954 100644
--- a/package/dbus-glib/dbus-glib.mk
+++ b/package/dbus-glib/dbus-glib.mk
@@ -9,6 +9,7 @@ DBUS_GLIB_SITE = http://dbus.freedesktop.org/releases/dbus-glib
 DBUS_GLIB_INSTALL_STAGING = YES
 DBUS_GLIB_LICENSE = AFL-2.1 or GPL-2.0+
 DBUS_GLIB_LICENSE_FILES = COPYING
+DBUS_GLIB_CPE_ID_VENDOR = freedesktop
 
 DBUS_GLIB_CONF_ENV = \
 	ac_cv_have_abstract_sockets=yes \
diff --git a/package/dbus/dbus.mk b/package/dbus/dbus.mk
index b58f1ddda3..279252bd78 100644
--- a/package/dbus/dbus.mk
+++ b/package/dbus/dbus.mk
@@ -8,6 +8,8 @@ DBUS_VERSION = 1.12.18
 DBUS_SITE = https://dbus.freedesktop.org/releases/dbus
 DBUS_LICENSE = AFL-2.1 or GPL-2.0+ (library, tools), GPL-2.0+ (tools)
 DBUS_LICENSE_FILES = COPYING
+DBUS_CPE_ID_VENDOR = d-bus_project
+DBUS_CPE_ID_NAME = d-bus
 DBUS_INSTALL_STAGING = YES
 
 define DBUS_PERMISSIONS
diff --git a/package/dhcp/dhcp.mk b/package/dhcp/dhcp.mk
index ad59804d3b..988c7792dc 100644
--- a/package/dhcp/dhcp.mk
+++ b/package/dhcp/dhcp.mk
@@ -10,6 +10,7 @@ DHCP_INSTALL_STAGING = YES
 DHCP_LICENSE = MPL-2.0
 DHCP_LICENSE_FILES = LICENSE
 DHCP_DEPENDENCIES = bind
+DHCP_CPE_ID_VENDOR = isc
 
 # use libtool-enabled configure.ac
 define DHCP_LIBTOOL_AUTORECONF
diff --git a/package/dnsmasq/dnsmasq.mk b/package/dnsmasq/dnsmasq.mk
index 4a7218a2b7..e0e8bed5aa 100644
--- a/package/dnsmasq/dnsmasq.mk
+++ b/package/dnsmasq/dnsmasq.mk
@@ -14,6 +14,7 @@ DNSMASQ_MAKE_OPTS += DESTDIR=$(TARGET_DIR) LDFLAGS="$(TARGET_LDFLAGS)" \
 DNSMASQ_DEPENDENCIES = host-pkgconf $(TARGET_NLS_DEPENDENCIES)
 DNSMASQ_LICENSE = GPL-2.0 or GPL-3.0
 DNSMASQ_LICENSE_FILES = COPYING COPYING-v3
+DNSMASQ_CPE_ID_VENDOR = thekelleys
 
 DNSMASQ_I18N = $(if $(BR2_SYSTEM_ENABLE_NLS),-i18n)
 
diff --git a/package/dropbear/dropbear.mk b/package/dropbear/dropbear.mk
index 00992f0662..87c161f704 100644
--- a/package/dropbear/dropbear.mk
+++ b/package/dropbear/dropbear.mk
@@ -11,6 +11,8 @@ DROPBEAR_LICENSE = MIT, BSD-2-Clause, Public domain
 DROPBEAR_LICENSE_FILES = LICENSE
 DROPBEAR_TARGET_BINS = dropbearkey dropbearconvert scp
 DROPBEAR_PROGRAMS = dropbear $(DROPBEAR_TARGET_BINS)
+DROPBEAR_CPE_ID_VENDOR = $(DROPBEAR_NAME)_ssh_project
+DROPBEAR_CPE_ID_NAME = $(DROPBEAR_NAME)_ssh
 
 # Disable hardening flags added by dropbear configure.ac, and let
 # Buildroot add them when the relevant options are enabled. This
diff --git a/package/ebtables/ebtables.mk b/package/ebtables/ebtables.mk
index e8b982206c..b94ac8541f 100644
--- a/package/ebtables/ebtables.mk
+++ b/package/ebtables/ebtables.mk
@@ -8,6 +8,7 @@ EBTABLES_VERSION = 2.0.11
 EBTABLES_SITE = http://ftp.netfilter.org/pub/ebtables
 EBTABLES_LICENSE = GPL-2.0+
 EBTABLES_LICENSE_FILES = COPYING
+EBTABLES_CVE_ID_VENDOR = netfilter
 
 ifeq ($(BR2_PACKAGE_EBTABLES_UTILS_SAVE),y)
 define EBTABLES_INSTALL_TARGET_UTILS_SAVE
diff --git a/package/ethtool/ethtool.mk b/package/ethtool/ethtool.mk
index 1668171f3a..0e94a918c2 100644
--- a/package/ethtool/ethtool.mk
+++ b/package/ethtool/ethtool.mk
@@ -9,6 +9,7 @@ ETHTOOL_SOURCE = ethtool-$(ETHTOOL_VERSION).tar.xz
 ETHTOOL_SITE = $(BR2_KERNEL_MIRROR)/software/network/ethtool
 ETHTOOL_LICENSE = GPL-2.0
 ETHTOOL_LICENSE_FILES = LICENSE COPYING
+ETHTOOL_CPE_ID_VENDOR = kernel
 ETHTOOL_CONF_OPTS = \
 	$(if $(BR2_PACKAGE_ETHTOOL_PRETTY_PRINT),--enable-pretty-dump,--disable-pretty-dump)
 
diff --git a/package/expat/expat.mk b/package/expat/expat.mk
index bb04ab1a90..201e18ae65 100644
--- a/package/expat/expat.mk
+++ b/package/expat/expat.mk
@@ -12,6 +12,7 @@ EXPAT_DEPENDENCIES = host-pkgconf
 HOST_EXPAT_DEPENDENCIES = host-pkgconf
 EXPAT_LICENSE = MIT
 EXPAT_LICENSE_FILES = COPYING
+EXPAT_CPE_ID_VENDOR = libexpat
 
 EXPAT_CONF_OPTS = --without-docbook
 HOST_EXPAT_CONF_OPTS = --without-docbook
diff --git a/package/gdb/gdb.mk b/package/gdb/gdb.mk
index f31b168bf1..b0a21c1d9f 100644
--- a/package/gdb/gdb.mk
+++ b/package/gdb/gdb.mk
@@ -25,6 +25,7 @@ endif
 
 GDB_LICENSE = GPL-2.0+, LGPL-2.0+, GPL-3.0+, LGPL-3.0+
 GDB_LICENSE_FILES = COPYING COPYING.LIB COPYING3 COPYING3.LIB
+GDB_CPE_ID_VENDOR = gnu
 
 # On gdb < 10, if you want to build only gdbserver, you need to
 # configure only gdb/gdbserver.
diff --git a/package/gesftpserver/gesftpserver.mk b/package/gesftpserver/gesftpserver.mk
index ff7ce768ae..07718a4c42 100644
--- a/package/gesftpserver/gesftpserver.mk
+++ b/package/gesftpserver/gesftpserver.mk
@@ -12,6 +12,8 @@ GESFTPSERVER_LICENSE_FILES = COPYING
 
 # "Missing prototype" warning treated as error
 GESFTPSERVER_CONF_OPTS = --disable-warnings-as-errors
+GESFTPSERVER_CPE_ID_VENDOR = green_end
+GESFTPSERVER_CPE_ID_NAME = sftpserver
 
 # forgets to link against pthread when cross compiling
 GESFTPSERVER_CONF_ENV = LIBS=-lpthread
diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
index 4721177d83..7add82f9ce 100644
--- a/package/glibc/glibc.mk
+++ b/package/glibc/glibc.mk
@@ -33,6 +33,7 @@ endif
 
 GLIBC_LICENSE = GPL-2.0+ (programs), LGPL-2.1+, BSD-3-Clause, MIT (library)
 GLIBC_LICENSE_FILES = COPYING COPYING.LIB LICENSES
+GLIBC_CPE_ID_VENDOR = gnu
 
 # glibc is part of the toolchain so disable the toolchain dependency
 GLIBC_ADD_TOOLCHAIN_DEPENDENCY = NO
diff --git a/package/gmp/gmp.mk b/package/gmp/gmp.mk
index d124463a98..a79d5b7d9a 100644
--- a/package/gmp/gmp.mk
+++ b/package/gmp/gmp.mk
@@ -10,6 +10,7 @@ GMP_SOURCE = gmp-$(GMP_VERSION).tar.xz
 GMP_INSTALL_STAGING = YES
 GMP_LICENSE = LGPL-3.0+ or GPL-2.0+
 GMP_LICENSE_FILES = COPYING.LESSERv3 COPYINGv2
+GMP_CPE_ID_VENDOR = gmplib
 GMP_DEPENDENCIES = host-m4
 HOST_GMP_DEPENDENCIES = host-m4
 
diff --git a/package/gnupg/gnupg.mk b/package/gnupg/gnupg.mk
index 617def884e..ba424fed96 100644
--- a/package/gnupg/gnupg.mk
+++ b/package/gnupg/gnupg.mk
@@ -10,6 +10,7 @@ GNUPG_SITE = https://gnupg.org/ftp/gcrypt/gnupg
 GNUPG_LICENSE = GPL-3.0+
 GNUPG_LICENSE_FILES = COPYING
 GNUPG_DEPENDENCIES = zlib $(if $(BR2_PACKAGE_LIBICONV),libiconv)
+GNUPG_CPE_ID_VENDOR = $(GNUPG_NAME)
 GNUPG_CONF_ENV = ac_cv_sys_symbol_underscore=no
 GNUPG_CONF_OPTS = \
 	--disable-rpath \
diff --git a/package/gnutls/gnutls.mk b/package/gnutls/gnutls.mk
index 9f53150004..65bb4893e8 100644
--- a/package/gnutls/gnutls.mk
+++ b/package/gnutls/gnutls.mk
@@ -17,6 +17,7 @@ GNUTLS_LICENSE_FILES += doc/COPYING
 endif
 
 GNUTLS_DEPENDENCIES = host-pkgconf libtasn1 nettle pcre
+GNUTLS_CPE_ID_VENDOR = gnu
 GNUTLS_CONF_OPTS = \
 	--disable-doc \
 	--disable-guile \
diff --git a/package/grep/grep.mk b/package/grep/grep.mk
index bdc22fa46c..7a07f0b676 100644
--- a/package/grep/grep.mk
+++ b/package/grep/grep.mk
@@ -9,6 +9,7 @@ GREP_SITE = $(BR2_GNU_MIRROR)/grep
 GREP_SOURCE = grep-$(GREP_VERSION).tar.xz
 GREP_LICENSE = GPL-3.0+
 GREP_LICENSE_FILES = COPYING
+GREP_CPE_ID_VENDOR = gnu
 GREP_DEPENDENCIES = $(TARGET_NLS_DEPENDENCIES)
 # install into /bin like busybox grep
 GREP_CONF_OPTS = --exec-prefix=/
diff --git a/package/gtest/gtest.mk b/package/gtest/gtest.mk
index 7f967b8bfb..fc51d9f7a2 100644
--- a/package/gtest/gtest.mk
+++ b/package/gtest/gtest.mk
@@ -10,6 +10,8 @@ GTEST_INSTALL_STAGING = YES
 GTEST_INSTALL_TARGET = NO
 GTEST_LICENSE = BSD-3-Clause
 GTEST_LICENSE_FILES = googletest/LICENSE
+GTEST_CPE_ID_VENDOR = google
+GTEST_CPE_ID_NAME = google_test
 
 ifeq ($(BR2_PACKAGE_GTEST_GMOCK),y)
 GTEST_DEPENDENCIES += host-gtest
diff --git a/package/gzip/gzip.mk b/package/gzip/gzip.mk
index 17b27b497c..c8fd3ddb7a 100644
--- a/package/gzip/gzip.mk
+++ b/package/gzip/gzip.mk
@@ -11,6 +11,7 @@ GZIP_SITE = $(BR2_GNU_MIRROR)/gzip
 GZIP_CONF_OPTS = --exec-prefix=/
 GZIP_LICENSE = GPL-3.0+
 GZIP_LICENSE_FILES = COPYING
+GZIP_CPE_ID_VENDOR = gnu
 GZIP_CONF_ENV += gl_cv_func_fflush_stdin=yes
 HOST_GZIP_CONF_ENV += gl_cv_func_fflush_stdin=yes
 # configure substitutes $(SHELL) for the shell shebang in scripts like
diff --git a/package/hostapd/hostapd.mk b/package/hostapd/hostapd.mk
index 676e36d8ba..efeefd8b35 100644
--- a/package/hostapd/hostapd.mk
+++ b/package/hostapd/hostapd.mk
@@ -23,6 +23,7 @@ HOSTAPD_IGNORE_CVES += CVE-2019-16275
 # 0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch
 HOSTAPD_IGNORE_CVES += CVE-2020-12695
 
+HOSTAPD_CPE_ID_VENDOR = w1.fi
 HOSTAPD_CONFIG_SET =
 
 HOSTAPD_CONFIG_ENABLE = \
diff --git a/package/ifupdown/ifupdown.mk b/package/ifupdown/ifupdown.mk
index 84d24aedab..e62c2a79c5 100644
--- a/package/ifupdown/ifupdown.mk
+++ b/package/ifupdown/ifupdown.mk
@@ -9,6 +9,7 @@ IFUPDOWN_SOURCE = ifupdown_$(IFUPDOWN_VERSION).tar.xz
 IFUPDOWN_SITE = http://snapshot.debian.org/archive/debian/20160922T165503Z/pool/main/i/ifupdown
 IFUPDOWN_LICENSE = GPL-2.0+
 IFUPDOWN_LICENSE_FILES = COPYING
+IFUPDOWN_CPE_ID_VENDOR = debian
 
 define IFUPDOWN_BUILD_CMDS
 	$(TARGET_MAKE_ENV) $(MAKE) $(TARGET_CONFIGURE_OPTS) \
diff --git a/package/iperf/iperf.mk b/package/iperf/iperf.mk
index 7088b0f152..f1e65e7545 100644
--- a/package/iperf/iperf.mk
+++ b/package/iperf/iperf.mk
@@ -8,6 +8,8 @@ IPERF_VERSION = 2.0.13
 IPERF_SITE = http://downloads.sourceforge.net/project/iperf2
 IPERF_LICENSE = MIT-like
 IPERF_LICENSE_FILES = COPYING
+IPERF_CPE_ID_VENDOR = $(IPERF_NAME)2_project
+IPERF_CPE_ID_NAME = $(IPERF_NAME)2
 
 IPERF_CONF_OPTS = \
 	--disable-web100
diff --git a/package/iperf3/iperf3.mk b/package/iperf3/iperf3.mk
index f67fa17022..7d20b86e78 100644
--- a/package/iperf3/iperf3.mk
+++ b/package/iperf3/iperf3.mk
@@ -9,6 +9,7 @@ IPERF3_SITE = https://downloads.es.net/pub/iperf
 IPERF3_SOURCE = iperf-$(IPERF3_VERSION).tar.gz
 IPERF3_LICENSE = BSD-3-Clause, BSD-2-Clause, MIT
 IPERF3_LICENSE_FILES = LICENSE
+IPERF3_CPE_ID_VENDOR = es
 
 IPERF3_CONF_ENV += CFLAGS="$(TARGET_CFLAGS) -D_GNU_SOURCE"
 
diff --git a/package/ipset/ipset.mk b/package/ipset/ipset.mk
index 869763d322..cea3ee0e05 100644
--- a/package/ipset/ipset.mk
+++ b/package/ipset/ipset.mk
@@ -11,6 +11,7 @@ IPSET_DEPENDENCIES = libmnl host-pkgconf
 IPSET_CONF_OPTS = --with-kmod=no
 IPSET_LICENSE = GPL-2.0
 IPSET_LICENSE_FILES = COPYING
+IPSET_CPE_ID_VENDOR = netfilter
 IPSET_INSTALL_STAGING = YES
 
 $(eval $(autotools-package))
diff --git a/package/iptables/iptables.mk b/package/iptables/iptables.mk
index 442639f159..053d0e3964 100644
--- a/package/iptables/iptables.mk
+++ b/package/iptables/iptables.mk
@@ -12,6 +12,7 @@ IPTABLES_DEPENDENCIES = host-pkgconf \
 	$(if $(BR2_PACKAGE_LIBNETFILTER_CONNTRACK),libnetfilter_conntrack)
 IPTABLES_LICENSE = GPL-2.0
 IPTABLES_LICENSE_FILES = COPYING
+IPTABLES_CPE_ID_VENDOR = netfilter
 # Building static causes ugly warnings on some plugins
 IPTABLES_CONF_OPTS = --libexecdir=/usr/lib --with-kernel=$(STAGING_DIR)/usr \
 	$(if $(BR2_STATIC_LIBS),,--disable-static)
diff --git a/package/iw/iw.mk b/package/iw/iw.mk
index 2250ea413b..a232cc8baa 100644
--- a/package/iw/iw.mk
+++ b/package/iw/iw.mk
@@ -9,6 +9,7 @@ IW_SOURCE = iw-$(IW_VERSION).tar.xz
 IW_SITE = $(BR2_KERNEL_MIRROR)/software/network/iw
 IW_LICENSE = ISC
 IW_LICENSE_FILES = COPYING
+IW_CPE_ID_VENDOR = kernel
 IW_DEPENDENCIES = host-pkgconf libnl
 IW_MAKE_ENV = \
 	$(TARGET_MAKE_ENV) \
diff --git a/package/kmod/kmod.mk b/package/kmod/kmod.mk
index 69615452cf..d0f26a8841 100644
--- a/package/kmod/kmod.mk
+++ b/package/kmod/kmod.mk
@@ -15,6 +15,8 @@ HOST_KMOD_DEPENDENCIES = host-pkgconf
 KMOD_LICENSE = LGPL-2.1+ (library)
 KMOD_LICENSE_FILES = libkmod/COPYING
 
+KMOD_CPE_ID_VENDOR = kernel
+
 # --gc-sections triggers binutils ld segfault
 # https://sourceware.org/bugzilla/show_bug.cgi?id=21180
 ifeq ($(BR2_microblaze),y)
diff --git a/package/libarchive/libarchive.mk b/package/libarchive/libarchive.mk
index 708ce637c2..71c8a2e4cf 100644
--- a/package/libarchive/libarchive.mk
+++ b/package/libarchive/libarchive.mk
@@ -9,6 +9,7 @@ LIBARCHIVE_SITE = https://www.libarchive.de/downloads
 LIBARCHIVE_INSTALL_STAGING = YES
 LIBARCHIVE_LICENSE = BSD-2-Clause, BSD-3-Clause, CC0-1.0, OpenSSL, Apache-2.0
 LIBARCHIVE_LICENSE_FILES = COPYING
+LIBARCHIVE_CPE_ID_VENDOR = $(LIBARCHIVE_NAME)
 
 ifeq ($(BR2_PACKAGE_LIBARCHIVE_BSDTAR),y)
 ifeq ($(BR2_STATIC_LIBS),y)
diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk
index 74ce3be654..40e2c8ec0e 100644
--- a/package/libcurl/libcurl.mk
+++ b/package/libcurl/libcurl.mk
@@ -12,6 +12,8 @@ LIBCURL_DEPENDENCIES = host-pkgconf \
 	$(if $(BR2_PACKAGE_RTMPDUMP),rtmpdump)
 LIBCURL_LICENSE = curl
 LIBCURL_LICENSE_FILES = COPYING
+LIBCURL_CPE_ID_VENDOR = haxx
+LIBCURL_CPE_ID_NAME = libcurl
 LIBCURL_INSTALL_STAGING = YES
 
 # We disable NTLM support because it uses fork(), which doesn't work
diff --git a/package/libestr/libestr.mk b/package/libestr/libestr.mk
index 30960f7257..6ce22efae2 100644
--- a/package/libestr/libestr.mk
+++ b/package/libestr/libestr.mk
@@ -8,6 +8,7 @@ LIBESTR_VERSION = 0.1.11
 LIBESTR_SITE = http://libestr.adiscon.com/files/download
 LIBESTR_LICENSE = LGPL-2.1+
 LIBESTR_LICENSE_FILES = COPYING
+LIBESTR_CPE_ID_VENDOR = adiscon
 LIBESTR_INSTALL_STAGING = YES
 
 $(eval $(autotools-package))
diff --git a/package/libfastjson/libfastjson.mk b/package/libfastjson/libfastjson.mk
index ecca72f56c..37dbd7e03e 100644
--- a/package/libfastjson/libfastjson.mk
+++ b/package/libfastjson/libfastjson.mk
@@ -12,5 +12,6 @@ LIBFASTJSON_CONF_ENV = ac_cv_prog_cc_c99='-std=gnu99'
 LIBFASTJSON_AUTORECONF = YES
 LIBFASTJSON_LICENSE = MIT
 LIBFASTJSON_LICENSE_FILES = COPYING
+LIBFASTJSON_CPE_ID_VENDOR = rsyslog
 
 $(eval $(autotools-package))
diff --git a/package/libfcgi/libfcgi.mk b/package/libfcgi/libfcgi.mk
index c158df2395..c40d9c5970 100644
--- a/package/libfcgi/libfcgi.mk
+++ b/package/libfcgi/libfcgi.mk
@@ -8,6 +8,8 @@ LIBFCGI_VERSION = 2.4.2
 LIBFCGI_SITE = $(call github,FastCGI-Archives,fcgi2,$(LIBFCGI_VERSION))
 LIBFCGI_LICENSE = OML
 LIBFCGI_LICENSE_FILES = LICENSE.TERMS
+LIBFCGI_CPE_ID_VENDOR = fastcgi
+LIBFCGI_CPE_ID_NAME = fcgi
 LIBFCGI_INSTALL_STAGING = YES
 LIBFCGI_AUTORECONF = YES
 
diff --git a/package/libffi/libffi.mk b/package/libffi/libffi.mk
index 722a03dca0..e87a024040 100644
--- a/package/libffi/libffi.mk
+++ b/package/libffi/libffi.mk
@@ -6,6 +6,8 @@
 
 LIBFFI_VERSION = 3.3
 LIBFFI_SITE = $(call github,libffi,libffi,v$(LIBFFI_VERSION))
+LIBFFI_CPE_ID_VERSION = 3.3
+LIBFFI_CPE_ID_VERSION_MINOR = rc0
 LIBFFI_LICENSE = MIT
 LIBFFI_LICENSE_FILES = LICENSE
 LIBFFI_INSTALL_STAGING = YES
diff --git a/package/libgcrypt/libgcrypt.mk b/package/libgcrypt/libgcrypt.mk
index b2c1ea3cbe..d928d2fd80 100644
--- a/package/libgcrypt/libgcrypt.mk
+++ b/package/libgcrypt/libgcrypt.mk
@@ -12,6 +12,7 @@ LIBGCRYPT_SITE = https://gnupg.org/ftp/gcrypt/libgcrypt
 LIBGCRYPT_INSTALL_STAGING = YES
 LIBGCRYPT_DEPENDENCIES = libgpg-error
 LIBGCRYPT_CONFIG_SCRIPTS = libgcrypt-config
+LIBGCRYPT_CPE_ID_VENDOR = gnupg
 
 # Patching acinclude.m4 in 0001
 # Patching configure.ac and Makefile.am in 0002
diff --git a/package/libglib2/libglib2.mk b/package/libglib2/libglib2.mk
index 6e9dbd7b26..e55540976d 100644
--- a/package/libglib2/libglib2.mk
+++ b/package/libglib2/libglib2.mk
@@ -10,6 +10,8 @@ LIBGLIB2_SOURCE = glib-$(LIBGLIB2_VERSION).tar.xz
 LIBGLIB2_SITE = http://ftp.gnome.org/pub/gnome/sources/glib/$(LIBGLIB2_VERSION_MAJOR)
 LIBGLIB2_LICENSE = LGPL-2.1+
 LIBGLIB2_LICENSE_FILES = COPYING
+LIBGLIB2_CPE_ID_VENDOR = gnome
+LIBGLIB2_CPE_ID_NAME = glib
 LIBGLIB2_INSTALL_STAGING = YES
 
 LIBGLIB2_CFLAGS = $(TARGET_CFLAGS)
diff --git a/package/libgpg-error/libgpg-error.mk b/package/libgpg-error/libgpg-error.mk
index 6281faa662..05c7f710f2 100644
--- a/package/libgpg-error/libgpg-error.mk
+++ b/package/libgpg-error/libgpg-error.mk
@@ -9,6 +9,7 @@ LIBGPG_ERROR_SITE = https://www.gnupg.org/ftp/gcrypt/libgpg-error
 LIBGPG_ERROR_SOURCE = libgpg-error-$(LIBGPG_ERROR_VERSION).tar.bz2
 LIBGPG_ERROR_LICENSE = GPL-2.0+, LGPL-2.1+
 LIBGPG_ERROR_LICENSE_FILES = COPYING COPYING.LIB
+LIBGPG_ERROR_CPE_ID_VENDOR = gnupg
 LIBGPG_ERROR_INSTALL_STAGING = YES
 LIBGPG_ERROR_CONFIG_SCRIPTS = gpg-error-config
 LIBGPG_ERROR_DEPENDENCIES = $(TARGET_NLS_DEPENDENCIES)
diff --git a/package/liblogging/liblogging.mk b/package/liblogging/liblogging.mk
index c756891a86..24375b56b4 100644
--- a/package/liblogging/liblogging.mk
+++ b/package/liblogging/liblogging.mk
@@ -8,6 +8,7 @@ LIBLOGGING_VERSION = 1.0.6
 LIBLOGGING_SITE = http://download.rsyslog.com/liblogging
 LIBLOGGING_LICENSE = BSD-2-Clause
 LIBLOGGING_LICENSE_FILES = COPYING
+LIBLOGGING_CPE_ID_VENDOR = adiscon
 LIBLOGGING_INSTALL_STAGING = YES
 LIBLOGGING_CONF_OPTS = --enable-cached-man-pages
 
diff --git a/package/libmbim/libmbim.mk b/package/libmbim/libmbim.mk
index 05345623bd..4ce3ca892e 100644
--- a/package/libmbim/libmbim.mk
+++ b/package/libmbim/libmbim.mk
@@ -9,6 +9,7 @@ LIBMBIM_SITE = https://www.freedesktop.org/software/libmbim
 LIBMBIM_SOURCE = libmbim-$(LIBMBIM_VERSION).tar.xz
 LIBMBIM_LICENSE = LGPL-2.0+ (library), GPL-2.0+ (programs)
 LIBMBIM_LICENSE_FILES = COPYING COPYING.LIB
+LIBMBIM_CPE_ID_VENDOR = freedesktop
 LIBMBIM_INSTALL_STAGING = YES
 
 LIBMBIM_DEPENDENCIES = libglib2
diff --git a/package/libmnl/libmnl.mk b/package/libmnl/libmnl.mk
index 7fcce4c21f..d3b33db2e0 100644
--- a/package/libmnl/libmnl.mk
+++ b/package/libmnl/libmnl.mk
@@ -10,5 +10,6 @@ LIBMNL_SITE = http://netfilter.org/projects/libmnl/files
 LIBMNL_INSTALL_STAGING = YES
 LIBMNL_LICENSE = LGPL-2.1+
 LIBMNL_LICENSE_FILES = COPYING
+LIBMNL_CPE_ID_VENDOR = netfilter
 
 $(eval $(autotools-package))
diff --git a/package/libnetfilter_conntrack/libnetfilter_conntrack.mk b/package/libnetfilter_conntrack/libnetfilter_conntrack.mk
index 8beefefb51..0a5a94be8f 100644
--- a/package/libnetfilter_conntrack/libnetfilter_conntrack.mk
+++ b/package/libnetfilter_conntrack/libnetfilter_conntrack.mk
@@ -11,5 +11,6 @@ LIBNETFILTER_CONNTRACK_INSTALL_STAGING = YES
 LIBNETFILTER_CONNTRACK_DEPENDENCIES = host-pkgconf libnfnetlink libmnl
 LIBNETFILTER_CONNTRACK_LICENSE = GPL-2.0+
 LIBNETFILTER_CONNTRACK_LICENSE_FILES = COPYING
+LIBNETFILTER_CONNTRACK_CPE_ID_VENDOR = netfilter
 
 $(eval $(autotools-package))
diff --git a/package/libnetfilter_cthelper/libnetfilter_cthelper.mk b/package/libnetfilter_cthelper/libnetfilter_cthelper.mk
index 61d6acd07c..d74ea4d0fd 100644
--- a/package/libnetfilter_cthelper/libnetfilter_cthelper.mk
+++ b/package/libnetfilter_cthelper/libnetfilter_cthelper.mk
@@ -12,5 +12,6 @@ LIBNETFILTER_CTHELPER_DEPENDENCIES = host-pkgconf libmnl
 LIBNETFILTER_CTHELPER_AUTORECONF = YES
 LIBNETFILTER_CTHELPER_LICENSE = GPL-2.0+
 LIBNETFILTER_CTHELPER_LICENSE_FILES = COPYING
+LIBNETFILTER_CTHELPER_CPE_ID_VENDOR = netfilter
 
 $(eval $(autotools-package))
diff --git a/package/libnetfilter_cttimeout/libnetfilter_cttimeout.mk b/package/libnetfilter_cttimeout/libnetfilter_cttimeout.mk
index 9c4c951687..f5c5067b64 100644
--- a/package/libnetfilter_cttimeout/libnetfilter_cttimeout.mk
+++ b/package/libnetfilter_cttimeout/libnetfilter_cttimeout.mk
@@ -12,5 +12,6 @@ LIBNETFILTER_CTTIMEOUT_DEPENDENCIES = host-pkgconf libmnl
 LIBNETFILTER_CTTIMEOUT_AUTORECONF = YES
 LIBNETFILTER_CTTIMEOUT_LICENSE = GPL-2.0+
 LIBNETFILTER_CTTIMEOUT_LICENSE_FILES = COPYING
+LIBNETFILTER_CTTIMEOUT_CPE_ID_VENDOR = netfilter
 
 $(eval $(autotools-package))
diff --git a/package/libnetfilter_queue/libnetfilter_queue.mk b/package/libnetfilter_queue/libnetfilter_queue.mk
index 2bb4dd376d..6cd35baea1 100644
--- a/package/libnetfilter_queue/libnetfilter_queue.mk
+++ b/package/libnetfilter_queue/libnetfilter_queue.mk
@@ -12,5 +12,6 @@ LIBNETFILTER_QUEUE_DEPENDENCIES = host-pkgconf libnfnetlink libmnl
 LIBNETFILTER_QUEUE_AUTORECONF = YES
 LIBNETFILTER_QUEUE_LICENSE = GPL-2.0+
 LIBNETFILTER_QUEUE_LICENSE_FILES = COPYING
+LIBNETFILTER_QUEUE_CPE_ID_VENDOR = netfilter
 
 $(eval $(autotools-package))
diff --git a/package/libnfnetlink/libnfnetlink.mk b/package/libnfnetlink/libnfnetlink.mk
index 13f5d72c87..a5ad47b85e 100644
--- a/package/libnfnetlink/libnfnetlink.mk
+++ b/package/libnfnetlink/libnfnetlink.mk
@@ -11,5 +11,6 @@ LIBNFNETLINK_AUTORECONF = YES
 LIBNFNETLINK_INSTALL_STAGING = YES
 LIBNFNETLINK_LICENSE = GPL-2.0
 LIBNFNETLINK_LICENSE_FILES = COPYING
+LIBNFNETLINK_CPE_ID_VENDOR = netfilter
 
 $(eval $(autotools-package))
diff --git a/package/libopenssl/Config.in b/package/libopenssl/Config.in
index 8909e36b9e..dd03de7674 100644
--- a/package/libopenssl/Config.in
+++ b/package/libopenssl/Config.in
@@ -45,3 +45,14 @@ config BR2_PACKAGE_LIBOPENSSL_ENGINES
 	  Install additional encryption engine libraries.
 
 endif # BR2_PACKAGE_LIBOPENSSL
+# See package/openssl/Config.in for the actual kconfig
+# of this package. This file provides a URL for CPE use.
+
+#	help
+#	  A collaborative effort to develop a robust, commercial-grade,
+#	  fully featured, and Open Source toolkit implementing the
+#	  Secure Sockets Layer (SSL v2/v3) and Transport Security
+#	  (TLS v1) as well as a full-strength general-purpose
+#	  cryptography library.
+#
+#	  http://www.openssl.org/
diff --git a/package/libopenssl/libopenssl.mk b/package/libopenssl/libopenssl.mk
index fe5a444cc7..75a7b485ef 100644
--- a/package/libopenssl/libopenssl.mk
+++ b/package/libopenssl/libopenssl.mk
@@ -15,6 +15,8 @@ HOST_LIBOPENSSL_DEPENDENCIES = host-zlib
 LIBOPENSSL_TARGET_ARCH = $(call qstrip,$(BR2_PACKAGE_LIBOPENSSL_TARGET_ARCH))
 LIBOPENSSL_CFLAGS = $(TARGET_CFLAGS)
 LIBOPENSSL_PROVIDES = openssl
+LIBOPENSSL_CPE_ID_VENDOR = $(LIBOPENSSL_PROVIDES)
+LIBOPENSSL_CPE_ID_NAME = $(LIBOPENSSL_PROVIDES)
 
 ifeq ($(BR2_m68k_cf),y)
 # relocation truncated to fit: R_68K_GOT16O
diff --git a/package/libpcap/libpcap.mk b/package/libpcap/libpcap.mk
index 881a109a0a..e323461529 100644
--- a/package/libpcap/libpcap.mk
+++ b/package/libpcap/libpcap.mk
@@ -8,6 +8,7 @@ LIBPCAP_VERSION = 1.9.1
 LIBPCAP_SITE = http://www.tcpdump.org/release
 LIBPCAP_LICENSE = BSD-3-Clause
 LIBPCAP_LICENSE_FILES = LICENSE
+LIBPCAP_CPE_ID_VENDOR = tcpdump
 LIBPCAP_INSTALL_STAGING = YES
 LIBPCAP_DEPENDENCIES = host-flex host-bison
 
diff --git a/package/libselinux/libselinux.mk b/package/libselinux/libselinux.mk
index 8087af539a..fdd13aa942 100644
--- a/package/libselinux/libselinux.mk
+++ b/package/libselinux/libselinux.mk
@@ -8,6 +8,7 @@ LIBSELINUX_VERSION = 3.1
 LIBSELINUX_SITE = https://github.com/SELinuxProject/selinux/releases/download/20200710
 LIBSELINUX_LICENSE = Public Domain
 LIBSELINUX_LICENSE_FILES = LICENSE
+LIBSELINUX_CPE_ID_VENDOR = selinuxproject
 
 LIBSELINUX_DEPENDENCIES = $(BR2_COREUTILS_HOST_DEPENDENCY) libsepol pcre
 
diff --git a/package/libsemanage/libsemanage.mk b/package/libsemanage/libsemanage.mk
index 3ea0603f53..48e2bbbc8b 100644
--- a/package/libsemanage/libsemanage.mk
+++ b/package/libsemanage/libsemanage.mk
@@ -9,6 +9,7 @@ LIBSEMANAGE_SITE = https://github.com/SELinuxProject/selinux/releases/download/2
 LIBSEMANAGE_LICENSE = LGPL-2.1+
 LIBSEMANAGE_LICENSE_FILES = COPYING
 LIBSEMANAGE_DEPENDENCIES = host-bison host-flex audit libselinux bzip2
+LIBSEMANAGE_CPE_ID_VENDOR = selinuxproject
 LIBSEMANAGE_INSTALL_STAGING = YES
 
 LIBSEMANAGE_MAKE_OPTS = $(TARGET_CONFIGURE_OPTS)
diff --git a/package/libsepol/libsepol.mk b/package/libsepol/libsepol.mk
index 7d8b7b2063..a4398bdc42 100644
--- a/package/libsepol/libsepol.mk
+++ b/package/libsepol/libsepol.mk
@@ -8,6 +8,7 @@ LIBSEPOL_VERSION = 3.1
 LIBSEPOL_SITE = https://github.com/SELinuxProject/selinux/releases/download/20200710
 LIBSEPOL_LICENSE = LGPL-2.1+
 LIBSEPOL_LICENSE_FILES = COPYING
+LIBSEPOL_CPE_ID_VENDOR = selinuxproject
 
 LIBSEPOL_INSTALL_STAGING = YES
 LIBSEPOL_DEPENDENCIES = host-flex
diff --git a/package/libssh2/libssh2.mk b/package/libssh2/libssh2.mk
index c03fe0db55..eb66ab5643 100644
--- a/package/libssh2/libssh2.mk
+++ b/package/libssh2/libssh2.mk
@@ -8,6 +8,7 @@ LIBSSH2_VERSION = 1.9.0
 LIBSSH2_SITE = https://www.libssh2.org/download
 LIBSSH2_LICENSE = BSD
 LIBSSH2_LICENSE_FILES = COPYING
+LIBSSH2_CPE_ID_VENDOR = $(LIBSSH2_NAME)
 LIBSSH2_INSTALL_STAGING = YES
 LIBSSH2_CONF_OPTS = --disable-examples-build
 
diff --git a/package/libsysfs/libsysfs.mk b/package/libsysfs/libsysfs.mk
index 13edc9a4ea..fd8bfa6724 100644
--- a/package/libsysfs/libsysfs.mk
+++ b/package/libsysfs/libsysfs.mk
@@ -10,5 +10,7 @@ LIBSYSFS_SOURCE = sysfsutils-$(LIBSYSFS_VERSION).tar.gz
 LIBSYSFS_INSTALL_STAGING = YES
 LIBSYSFS_LICENSE = GPL-2.0 (utilities), LGPL-2.1+ (library)
 LIBSYSFS_LICENSE_FILES = cmd/GPL lib/LGPL
+LIBSYSFS_CPE_ID_VENDOR = sysfsutils_project
+LIBSYSFS_CPE_ID_NAME = sysfsutils
 
 $(eval $(autotools-package))
diff --git a/package/libtasn1/libtasn1.mk b/package/libtasn1/libtasn1.mk
index d5a6c69965..a354716824 100644
--- a/package/libtasn1/libtasn1.mk
+++ b/package/libtasn1/libtasn1.mk
@@ -9,6 +9,7 @@ LIBTASN1_SITE = $(BR2_GNU_MIRROR)/libtasn1
 LIBTASN1_DEPENDENCIES = host-bison host-pkgconf
 LIBTASN1_LICENSE = GPL-3.0+ (tests, tools), LGPL-2.1+ (library)
 LIBTASN1_LICENSE_FILES = LICENSE doc/COPYING doc/COPYING.LESSER
+LIBTASN1_CPE_ID_VENDOR = gnu
 LIBTASN1_INSTALL_STAGING = YES
 
 # We're patching fuzz/Makefile.am
diff --git a/package/libunistring/libunistring.mk b/package/libunistring/libunistring.mk
index fa51447170..1ed7ecf906 100644
--- a/package/libunistring/libunistring.mk
+++ b/package/libunistring/libunistring.mk
@@ -10,6 +10,7 @@ LIBUNISTRING_SOURCE = libunistring-$(LIBUNISTRING_VERSION).tar.xz
 LIBUNISTRING_INSTALL_STAGING = YES
 LIBUNISTRING_LICENSE = LGPL-3.0+ or GPL-2.0
 LIBUNISTRING_LICENSE_FILES = COPYING COPYING.LIB
+LIBUNISTRING_CPE_ID_VENDOR = gnu
 
 $(eval $(autotools-package))
 $(eval $(host-autotools-package))
diff --git a/package/libxml2/libxml2.mk b/package/libxml2/libxml2.mk
index e9379b05ae..e472970fde 100644
--- a/package/libxml2/libxml2.mk
+++ b/package/libxml2/libxml2.mk
@@ -15,6 +15,7 @@ LIBXML2_IGNORE_CVES += CVE-2020-7595
 LIBXML2_IGNORE_CVES += CVE-2019-20388
 # 0003-Fix-out-of-bounds-read-with-xmllint--htmlout.patch
 LIBXML2_IGNORE_CVES += CVE-2020-24977
+LIBXML2_CPE_ID_VENDOR = xmlsoft
 LIBXML2_CONFIG_SCRIPTS = xml2-config
 
 # relocation truncated to fit: R_68K_GOT16O
diff --git a/package/libxslt/libxslt.mk b/package/libxslt/libxslt.mk
index 2f37f303ac..3c603ad9f6 100644
--- a/package/libxslt/libxslt.mk
+++ b/package/libxslt/libxslt.mk
@@ -9,6 +9,7 @@ LIBXSLT_SITE = http://xmlsoft.org/sources
 LIBXSLT_INSTALL_STAGING = YES
 LIBXSLT_LICENSE = MIT
 LIBXSLT_LICENSE_FILES = COPYING
+LIBXSLT_CPE_ID_VENDOR = xmlsoft
 
 LIBXSLT_CONF_OPTS = \
 	--with-gnu-ld \
diff --git a/package/libzlib/libzlib.mk b/package/libzlib/libzlib.mk
index eea0c12f22..a1e2640bac 100644
--- a/package/libzlib/libzlib.mk
+++ b/package/libzlib/libzlib.mk
@@ -11,6 +11,8 @@ LIBZLIB_LICENSE = Zlib
 LIBZLIB_LICENSE_FILES = README
 LIBZLIB_INSTALL_STAGING = YES
 LIBZLIB_PROVIDES = zlib
+LIBZLIB_CPE_ID_VENDOR = gnu
+LIBZLIB_CPE_ID_NAME = $(LIBZLIB_PROVIDES)
 
 # It is not possible to build only a shared version of zlib, so we build both
 # shared and static, unless we only want the static libs, and we eventually
diff --git a/package/lighttpd/lighttpd.mk b/package/lighttpd/lighttpd.mk
index 7181465c66..39600ef94b 100644
--- a/package/lighttpd/lighttpd.mk
+++ b/package/lighttpd/lighttpd.mk
@@ -10,6 +10,7 @@ LIGHTTPD_SOURCE = lighttpd-$(LIGHTTPD_VERSION).tar.xz
 LIGHTTPD_SITE = http://download.lighttpd.net/lighttpd/releases-$(LIGHTTPD_VERSION_MAJOR).x
 LIGHTTPD_LICENSE = BSD-3-Clause
 LIGHTTPD_LICENSE_FILES = COPYING
+LIGHTTPD_CPE_ID_VENDOR = $(LIGHTTPD_NAME)
 LIGHTTPD_DEPENDENCIES = host-pkgconf
 LIGHTTPD_CONF_OPTS = \
 	--without-wolfssl \
diff --git a/package/linux-firmware/linux-firmware.mk b/package/linux-firmware/linux-firmware.mk
index d9ad942903..368ff83a37 100644
--- a/package/linux-firmware/linux-firmware.mk
+++ b/package/linux-firmware/linux-firmware.mk
@@ -8,6 +8,8 @@ LINUX_FIRMWARE_VERSION = 20200122
 LINUX_FIRMWARE_SITE = http://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git
 LINUX_FIRMWARE_SITE_METHOD = git
 
+LINUX_FIRMWARE_CPE_ID_VENDOR = kernel
+
 # Intel SST DSP
 ifeq ($(BR2_PACKAGE_LINUX_FIRMWARE_INTEL_SST_DSP),y)
 LINUX_FIRMWARE_FILES += intel/fw_sst_0f28.bin-48kHz_i2s_master
diff --git a/package/linux-headers/linux-headers.mk b/package/linux-headers/linux-headers.mk
index 4c3cb716b3..4496295f2a 100644
--- a/package/linux-headers/linux-headers.mk
+++ b/package/linux-headers/linux-headers.mk
@@ -102,6 +102,8 @@ LINUX_HEADERS_LICENSE_FILES = \
 	LICENSES/preferred/GPL-2.0 \
 	LICENSES/exceptions/Linux-syscall-note
 endif
+LINUX_HEADERS_CPE_ID_VENDOR = linux
+LINUX_HEADERS_CPE_ID_NAME = linux_kernel
 
 LINUX_HEADERS_INSTALL_STAGING = YES
 
diff --git a/package/linux-pam/linux-pam.mk b/package/linux-pam/linux-pam.mk
index 57fb2c9cfd..ecd4a723c4 100644
--- a/package/linux-pam/linux-pam.mk
+++ b/package/linux-pam/linux-pam.mk
@@ -23,6 +23,8 @@ LINUX_PAM_LICENSE_FILES = Copyright
 # We're patching configure.ac
 LINUX_PAM_AUTORECONF = YES
 LINUX_PAM_MAKE_OPTS += LIBS=$(TARGET_NLS_LIBS)
+LINUX_PAM_CPE_ID_VENDOR = $(LINUX_PAM_NAME)
+LINUX_PAM_CPE_ID_NAME = $(LINUX_PAM_NAME)
 
 ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
 LINUX_PAM_CONF_OPTS += --enable-selinux
diff --git a/package/llvm/llvm.mk b/package/llvm/llvm.mk
index 24d033d124..177fff71bb 100644
--- a/package/llvm/llvm.mk
+++ b/package/llvm/llvm.mk
@@ -10,6 +10,7 @@ LLVM_SITE = https://github.com/llvm/llvm-project/releases/download/llvmorg-$(LLV
 LLVM_SOURCE = llvm-$(LLVM_VERSION).src.tar.xz
 LLVM_LICENSE = Apache-2.0 with exceptions
 LLVM_LICENSE_FILES = LICENSE.TXT
+LLVM_CPE_ID_VENDOR = $(LLVM_NAME)
 LLVM_SUPPORTS_IN_SOURCE_BUILD = NO
 LLVM_INSTALL_STAGING = YES
 
diff --git a/package/lxc/lxc.mk b/package/lxc/lxc.mk
index b067f145e3..576036e246 100644
--- a/package/lxc/lxc.mk
+++ b/package/lxc/lxc.mk
@@ -8,6 +8,7 @@ LXC_VERSION = 4.0.5
 LXC_SITE = https://linuxcontainers.org/downloads/lxc
 LXC_LICENSE = GPL-2.0 (some tools), LGPL-2.1+
 LXC_LICENSE_FILES = LICENSE.GPL2 LICENSE.LGPL2.1
+LXC_CPE_ID_VENDOR = linuxcontainers
 LXC_DEPENDENCIES = host-pkgconf
 LXC_INSTALL_STAGING = YES
 
diff --git a/package/lz4/lz4.mk b/package/lz4/lz4.mk
index fa309e8dbb..7c91b6eecc 100644
--- a/package/lz4/lz4.mk
+++ b/package/lz4/lz4.mk
@@ -9,6 +9,7 @@ LZ4_SITE = $(call github,lz4,lz4,v$(LZ4_VERSION))
 LZ4_INSTALL_STAGING = YES
 LZ4_LICENSE = BSD-2-Clause (library), GPL-2.0+ (programs)
 LZ4_LICENSE_FILES = lib/LICENSE programs/COPYING
+LZ4_CPE_ID_VENDOR = yann_collet
 
 # CVE-2014-4715 is misclassified (by our CVE tracker) as affecting version
 # 1.9.2, while in fact this issue has been fixed since lz4-r130:
diff --git a/package/memtester/memtester.mk b/package/memtester/memtester.mk
index 1a319462a5..49cc935f39 100644
--- a/package/memtester/memtester.mk
+++ b/package/memtester/memtester.mk
@@ -8,6 +8,7 @@ MEMTESTER_VERSION = 4.5.0
 MEMTESTER_SITE = http://pyropus.ca/software/memtester/old-versions
 MEMTESTER_LICENSE = GPL-2.0
 MEMTESTER_LICENSE_FILES = COPYING
+MEMTESTER_CPE_ID_VENDOR = pryopus
 
 MEMTESTER_TARGET_INSTALL_OPTS = INSTALLPATH=$(TARGET_DIR)/usr
 
diff --git a/package/mii-diag/mii-diag.mk b/package/mii-diag/mii-diag.mk
index 6efd5be80d..a7c6483221 100644
--- a/package/mii-diag/mii-diag.mk
+++ b/package/mii-diag/mii-diag.mk
@@ -10,6 +10,7 @@ MII_DIAG_PATCH = mii-diag_$(MII_DIAG_VERSION)-3.diff.gz
 MII_DIAG_SITE = http://snapshot.debian.org/archive/debian/20141023T043132Z/pool/main/m/mii-diag
 MII_DIAG_LICENSE = GPL # No version specified
 MII_DIAG_LICENSE_FILES = mii-diag.c
+MII_DIAG_CPE_ID_VENDOR = debian
 
 MII_DIAG_MAKE_OPTS = $(TARGET_CONFIGURE_OPTS)
 
diff --git a/package/mpfr/mpfr.mk b/package/mpfr/mpfr.mk
index ef2999eb16..837aff3aa5 100644
--- a/package/mpfr/mpfr.mk
+++ b/package/mpfr/mpfr.mk
@@ -9,6 +9,7 @@ MPFR_SITE = http://www.mpfr.org/mpfr-$(MPFR_VERSION)
 MPFR_SOURCE = mpfr-$(MPFR_VERSION).tar.xz
 MPFR_LICENSE = LGPL-3.0+
 MPFR_LICENSE_FILES = COPYING.LESSER
+MPFR_CPE_ID_VENDOR = gnu
 MPFR_INSTALL_STAGING = YES
 MPFR_DEPENDENCIES = gmp
 HOST_MPFR_DEPENDENCIES = host-gmp
diff --git a/package/mrouted/mrouted.mk b/package/mrouted/mrouted.mk
index ae2f8a4e20..4e3715b445 100644
--- a/package/mrouted/mrouted.mk
+++ b/package/mrouted/mrouted.mk
@@ -11,6 +11,7 @@ MROUTED_DEPENDENCIES = host-bison
 MROUTED_LICENSE = BSD-3-Clause
 MROUTED_LICENSE_FILES = LICENSE
 MROUTED_CONFIGURE_OPTS = --enable-rsrr
+MROUTED_CPE_ID_VENDOR = troglobit
 
 define MROUTED_INSTALL_INIT_SYSTEMD
 	$(INSTALL) -D -m 644 $(@D)/mrouted.service \
diff --git a/package/mtd/mtd.mk b/package/mtd/mtd.mk
index 9f259b35d9..d0e70b8c8b 100644
--- a/package/mtd/mtd.mk
+++ b/package/mtd/mtd.mk
@@ -9,6 +9,8 @@ MTD_SOURCE = mtd-utils-$(MTD_VERSION).tar.bz2
 MTD_SITE = ftp://ftp.infradead.org/pub/mtd-utils
 MTD_LICENSE = GPL-2.0
 MTD_LICENSE_FILES = COPYING
+MTD_CPE_ID_VENDOR = mtd-utils_project
+MTD_CPE_ID_NAME = mtd-utils
 MTD_INSTALL_STAGING = YES
 
 ifeq ($(BR2_PACKAGE_MTD_JFFS_UTILS),y)
diff --git a/package/ncurses/ncurses.mk b/package/ncurses/ncurses.mk
index c11650c766..5c5e497488 100644
--- a/package/ncurses/ncurses.mk
+++ b/package/ncurses/ncurses.mk
@@ -10,6 +10,7 @@ NCURSES_INSTALL_STAGING = YES
 NCURSES_DEPENDENCIES = host-ncurses
 NCURSES_LICENSE = MIT with advertising clause
 NCURSES_LICENSE_FILES = COPYING
+NCURSES_CPE_ID_VENDOR = gnu
 NCURSES_CONFIG_SCRIPTS = ncurses$(NCURSES_LIB_SUFFIX)6-config
 NCURSES_PATCH = \
 	$(addprefix https://invisible-mirror.net/archives/ncurses/$(NCURSES_VERSION)/, \
diff --git a/package/netsnmp/netsnmp.mk b/package/netsnmp/netsnmp.mk
index 904279d1fb..09ca33f754 100644
--- a/package/netsnmp/netsnmp.mk
+++ b/package/netsnmp/netsnmp.mk
@@ -9,6 +9,8 @@ NETSNMP_SITE = https://downloads.sourceforge.net/project/net-snmp/net-snmp/$(NET
 NETSNMP_SOURCE = net-snmp-$(NETSNMP_VERSION).tar.gz
 NETSNMP_LICENSE = Various BSD-like
 NETSNMP_LICENSE_FILES = COPYING
+NETSNMP_CPE_ID_VENDOR = net-snmp
+NETSNMP_CPE_ID_NAME = $(NETSNMP_CPE_ID_VENDOR)
 NETSNMP_INSTALL_STAGING = YES
 NETSNMP_CONF_ENV = ac_cv_NETSNMP_CAN_USE_SYSCTL=no
 NETSNMP_CONF_OPTS = \
diff --git a/package/nfs-utils/nfs-utils.mk b/package/nfs-utils/nfs-utils.mk
index d60b5055a0..df581b381f 100644
--- a/package/nfs-utils/nfs-utils.mk
+++ b/package/nfs-utils/nfs-utils.mk
@@ -10,6 +10,8 @@ NFS_UTILS_SITE = https://www.kernel.org/pub/linux/utils/nfs-utils/$(NFS_UTILS_VE
 NFS_UTILS_LICENSE = GPL-2.0+
 NFS_UTILS_LICENSE_FILES = COPYING
 NFS_UTILS_DEPENDENCIES = host-nfs-utils host-pkgconf libtirpc
+NFS_UTILS_CPE_ID_VENDOR = linux-nfs
+NFS_UTILS_AUTORECONF = YES
 
 NFS_UTILS_CONF_ENV = knfsd_cv_bsd_signals=no
 
diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
index 64ac22181b..c8937229ab 100644
--- a/package/openssh/openssh.mk
+++ b/package/openssh/openssh.mk
@@ -5,6 +5,8 @@
 ################################################################################
 
 OPENSSH_VERSION = 8.3p1
+OPENSSH_CPE_ID_VERSION = 8.3
+OPENSSH_CPE_ID_VERSION_MINOR = p1
 OPENSSH_SITE = http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable
 OPENSSH_LICENSE = BSD-3-Clause, BSD-2-Clause, Public Domain
 OPENSSH_LICENSE_FILES = LICENCE
@@ -12,6 +14,7 @@ OPENSSH_CONF_ENV = \
 	LD="$(TARGET_CC)" \
 	LDFLAGS="$(TARGET_CFLAGS)" \
 	LIBS=`$(PKG_CONFIG_HOST_BINARY) --libs openssl`
+OPENSSH_CPE_ID_VENDOR = openbsd
 OPENSSH_CONF_OPTS = \
 	--sysconfdir=/etc/ssh \
 	--with-default-path=$(BR2_SYSTEM_DEFAULT_PATH) \
diff --git a/package/pax-utils/pax-utils.mk b/package/pax-utils/pax-utils.mk
index 502fc87446..704e50e738 100644
--- a/package/pax-utils/pax-utils.mk
+++ b/package/pax-utils/pax-utils.mk
@@ -9,6 +9,7 @@ PAX_UTILS_SITE = http://distfiles.gentoo.org/distfiles
 PAX_UTILS_SOURCE = pax-utils-$(PAX_UTILS_VERSION).tar.xz
 PAX_UTILS_LICENSE = GPL-2.0
 PAX_UTILS_LICENSE_FILES = COPYING
+PAX_UTILS_CPE_ID_VENDOR = gentoo
 
 PAX_UTILS_DEPENDENCIES = host-pkgconf
 PAX_UTILS_CONF_OPTS = --without-python
diff --git a/package/paxtest/paxtest.mk b/package/paxtest/paxtest.mk
index e632e222c3..1b8d6699b6 100644
--- a/package/paxtest/paxtest.mk
+++ b/package/paxtest/paxtest.mk
@@ -8,6 +8,7 @@ PAXTEST_VERSION = 0.9.15
 PAXTEST_SITE = https://www.grsecurity.net/~spender
 PAXTEST_LICENSE = GPL-2.0+
 PAXTEST_LICENSE_FILES = README
+PAXTEST_CPE_ID_VENDOR = grsecurity
 
 define PAXTEST_BUILD_CMDS
 	$(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) $(MAKE) -C $(@D) \
diff --git a/package/pcre/pcre.mk b/package/pcre/pcre.mk
index 3c280e593f..b37a2ca9b7 100644
--- a/package/pcre/pcre.mk
+++ b/package/pcre/pcre.mk
@@ -9,6 +9,7 @@ PCRE_SITE = https://ftp.pcre.org/pub/pcre
 PCRE_SOURCE = pcre-$(PCRE_VERSION).tar.bz2
 PCRE_LICENSE = BSD-3-Clause
 PCRE_LICENSE_FILES = LICENCE
+PCRE_CPE_ID_VENDOR = $(PCRE_NAME)
 PCRE_INSTALL_STAGING = YES
 PCRE_CONFIG_SCRIPTS = pcre-config
 
diff --git a/package/pixman/pixman.mk b/package/pixman/pixman.mk
index a446ebca46..52d4e36f2e 100644
--- a/package/pixman/pixman.mk
+++ b/package/pixman/pixman.mk
@@ -9,6 +9,7 @@ PIXMAN_SOURCE = pixman-$(PIXMAN_VERSION).tar.xz
 PIXMAN_SITE = https://xorg.freedesktop.org/releases/individual/lib
 PIXMAN_LICENSE = MIT
 PIXMAN_LICENSE_FILES = COPYING
+PIXMAN_CPE_ID_VENDOR = $(PIXMAN_NAME)
 
 PIXMAN_INSTALL_STAGING = YES
 PIXMAN_DEPENDENCIES = host-pkgconf
diff --git a/package/policycoreutils/policycoreutils.mk b/package/policycoreutils/policycoreutils.mk
index 4c0fdc71a7..0dfdc7af03 100644
--- a/package/policycoreutils/policycoreutils.mk
+++ b/package/policycoreutils/policycoreutils.mk
@@ -8,6 +8,7 @@ POLICYCOREUTILS_VERSION = 3.1
 POLICYCOREUTILS_SITE = https://github.com/SELinuxProject/selinux/releases/download/20200710
 POLICYCOREUTILS_LICENSE = GPL-2.0
 POLICYCOREUTILS_LICENSE_FILES = COPYING
+POLICYCOREUTILS_CPE_ID_VENDOR = selinuxproject
 
 POLICYCOREUTILS_DEPENDENCIES = libsemanage libcap-ng $(TARGET_NLS_DEPENDENCIES)
 POLICYCOREUTILS_MAKE_OPTS = LDLIBS=$(TARGET_NLS_LIBS)
diff --git a/package/pppd/pppd.mk b/package/pppd/pppd.mk
index 685666a200..118f9fc334 100644
--- a/package/pppd/pppd.mk
+++ b/package/pppd/pppd.mk
@@ -10,6 +10,8 @@ PPPD_LICENSE = LGPL-2.0+, LGPL, BSD-4-Clause, BSD-3-Clause, GPL-2.0+
 PPPD_LICENSE_FILES = \
 	pppd/tdb.c pppd/plugins/pppoatm/COPYING \
 	pppdump/bsd-comp.c pppd/ccp.c pppd/plugins/passprompt.c
+PPPD_CPE_ID_VENDOR = samba
+PPPD_CPE_ID_NAME = ppp
 
 # 0001-pppd-Fix-bounds-check.patch
 PPPD_IGNORE_CVES += CVE-2020-8597
diff --git a/package/proftpd/proftpd.mk b/package/proftpd/proftpd.mk
index e126d0e0a4..94276233c8 100644
--- a/package/proftpd/proftpd.mk
+++ b/package/proftpd/proftpd.mk
@@ -8,6 +8,7 @@ PROFTPD_VERSION = 1.3.6c
 PROFTPD_SITE = $(call github,proftpd,proftpd,v$(PROFTPD_VERSION))
 PROFTPD_LICENSE = GPL-2.0+
 PROFTPD_LICENSE_FILES = COPYING
+PROFTPD_CPE_ID_VENDOR = $(PROFTPD_NAME)
 
 PROFTPD_CONF_ENV = \
 	ac_cv_func_setpgrp_void=yes \
diff --git a/package/protobuf/protobuf.mk b/package/protobuf/protobuf.mk
index 5f2690603d..773a7bd0f0 100644
--- a/package/protobuf/protobuf.mk
+++ b/package/protobuf/protobuf.mk
@@ -12,6 +12,7 @@ PROTOBUF_SOURCE = protobuf-cpp-$(PROTOBUF_VERSION).tar.gz
 PROTOBUF_SITE = https://github.com/google/protobuf/releases/download/v$(PROTOBUF_VERSION)
 PROTOBUF_LICENSE = BSD-3-Clause
 PROTOBUF_LICENSE_FILES = LICENSE
+PROTOBUF_CPE_ID_VENDOR = google
 
 # N.B. Need to use host protoc during cross compilation.
 PROTOBUF_DEPENDENCIES = host-protobuf
diff --git a/package/pure-ftpd/pure-ftpd.mk b/package/pure-ftpd/pure-ftpd.mk
index 7b7c7d9637..7e3d18b433 100644
--- a/package/pure-ftpd/pure-ftpd.mk
+++ b/package/pure-ftpd/pure-ftpd.mk
@@ -9,6 +9,7 @@ PURE_FTPD_SITE = https://download.pureftpd.org/pub/pure-ftpd/releases
 PURE_FTPD_SOURCE = pure-ftpd-$(PURE_FTPD_VERSION).tar.bz2
 PURE_FTPD_LICENSE = ISC
 PURE_FTPD_LICENSE_FILES = COPYING
+PURE_FTPD_CPE_ID_VENDOR = pureftpd
 PURE_FTPD_DEPENDENCIES = $(if $(BR2_PACKAGE_LIBICONV),libiconv)
 
 # 0001-listdir-reuse-a-single-buffer-to-store-every-file-name-to-display.patch
diff --git a/package/python-lxml/python-lxml.mk b/package/python-lxml/python-lxml.mk
index 7e727a6753..0b95cf4dc6 100644
--- a/package/python-lxml/python-lxml.mk
+++ b/package/python-lxml/python-lxml.mk
@@ -15,6 +15,8 @@ PYTHON_LXML_LICENSE_FILES = \
 	doc/licenses/BSD.txt \
 	doc/licenses/elementtree.txt \
 	src/lxml/isoschematron/resources/rng/iso-schematron.rng
+PYTHON_LXML_CPE_ID_VENDOR = lxml
+PYTHON_LXML_CPE_ID_NAME = lxml
 
 # python-lxml can use either setuptools, or distutils as a fallback.
 # So, we use setuptools.
diff --git a/package/python-setuptools/python-setuptools.mk b/package/python-setuptools/python-setuptools.mk
index 2cb575ae22..ade5ca5521 100644
--- a/package/python-setuptools/python-setuptools.mk
+++ b/package/python-setuptools/python-setuptools.mk
@@ -11,6 +11,8 @@ PYTHON_SETUPTOOLS_SOURCE = setuptools-$(PYTHON_SETUPTOOLS_VERSION).zip
 PYTHON_SETUPTOOLS_SITE = https://files.pythonhosted.org/packages/b0/f3/44da7482ac6da3f36f68e253cb04de37365b3dba9036a3c70773b778b485
 PYTHON_SETUPTOOLS_LICENSE = MIT
 PYTHON_SETUPTOOLS_LICENSE_FILES = LICENSE
+PYTHON_SETUPTOOLS_CPE_ID_VENDOR = python
+PYTHON_SETUPTOOLS_CPE_ID_NAME = setuptools
 PYTHON_SETUPTOOLS_SETUP_TYPE = setuptools
 HOST_PYTHON_SETUPTOOLS_NEEDS_HOST_PYTHON = python2
 
diff --git a/package/python/python.mk b/package/python/python.mk
index 10718f4358..6240cb6c2f 100644
--- a/package/python/python.mk
+++ b/package/python/python.mk
@@ -10,6 +10,7 @@ PYTHON_SOURCE = Python-$(PYTHON_VERSION).tar.xz
 PYTHON_SITE = https://python.org/ftp/python/$(PYTHON_VERSION)
 PYTHON_LICENSE = Python-2.0, others
 PYTHON_LICENSE_FILES = LICENSE
+PYTHON_CPE_ID_VENDOR = $(PYTHON_NAME)
 PYTHON_LIBTOOL_PATCH = NO
 
 # Python needs itself to be built, so in order to cross-compile
diff --git a/package/qemu/qemu.mk b/package/qemu/qemu.mk
index 69850ec938..a4b5688605 100644
--- a/package/qemu/qemu.mk
+++ b/package/qemu/qemu.mk
@@ -12,6 +12,7 @@ QEMU_LICENSE_FILES = COPYING COPYING.LIB
 # NOTE: there is no top-level license file for non-(L)GPL licenses;
 #       the non-(L)GPL license texts are specified in the affected
 #       individual source files.
+QEMU_CPE_ID_VENDOR = $(QEMU_NAME)
 
 #-------------------------------------------------------------
 # Target-qemu
diff --git a/package/rapidjson/rapidjson.mk b/package/rapidjson/rapidjson.mk
index 9f1c82ce40..d3bcef7df1 100644
--- a/package/rapidjson/rapidjson.mk
+++ b/package/rapidjson/rapidjson.mk
@@ -8,6 +8,7 @@ RAPIDJSON_VERSION = 1.1.0
 RAPIDJSON_SITE = $(call github,miloyip,rapidjson,v$(RAPIDJSON_VERSION))
 RAPIDJSON_LICENSE = MIT
 RAPIDJSON_LICENSE_FILES = license.txt
+RAPIDJSON_CPE_ID_VENDOR = tencent
 
 # rapidjson is a header-only C++ library
 RAPIDJSON_INSTALL_TARGET = NO
diff --git a/package/readline/readline.mk b/package/readline/readline.mk
index f5d7d5bf9e..04872ac868 100644
--- a/package/readline/readline.mk
+++ b/package/readline/readline.mk
@@ -14,6 +14,7 @@ READLINE_CONF_ENV = bash_cv_func_sigsetjmp=yes \
 READLINE_CONF_OPTS = --disable-install-examples
 READLINE_LICENSE = GPL-3.0+
 READLINE_LICENSE_FILES = COPYING
+READLINE_CPE_ID_VENDOR = gnu
 
 define READLINE_INSTALL_INPUTRC
 	$(INSTALL) -D -m 644 package/readline/inputrc $(TARGET_DIR)/etc/inputrc
diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
index 0e94b72826..90b555d859 100644
--- a/package/refpolicy/refpolicy.mk
+++ b/package/refpolicy/refpolicy.mk
@@ -6,6 +6,7 @@
 
 REFPOLICY_LICENSE = GPL-2.0
 REFPOLICY_LICENSE_FILES = COPYING
+REFPOLICY_CPE_ID_VENDOR = tresys
 REFPOLICY_INSTALL_STAGING = YES
 REFPOLICY_DEPENDENCIES = \
 	host-m4 \
diff --git a/package/rsyslog/rsyslog.mk b/package/rsyslog/rsyslog.mk
index 50f3328493..040b33795e 100644
--- a/package/rsyslog/rsyslog.mk
+++ b/package/rsyslog/rsyslog.mk
@@ -8,6 +8,7 @@ RSYSLOG_VERSION = 8.2004.0
 RSYSLOG_SITE = http://rsyslog.com/files/download/rsyslog
 RSYSLOG_LICENSE = GPL-3.0, LGPL-3.0, Apache-2.0
 RSYSLOG_LICENSE_FILES = COPYING COPYING.LESSER COPYING.ASL20
+RSYSLOG_CPE_ID_VENDOR = $(RSYSLOG_NAME)
 RSYSLOG_DEPENDENCIES = zlib libestr liblogging libfastjson host-pkgconf
 RSYSLOG_CONF_ENV = ac_cv_prog_cc_c99='-std=c99'
 RSYSLOG_PLUGINS = imdiag imfile impstats imptcp \
diff --git a/package/rt-tests/rt-tests.mk b/package/rt-tests/rt-tests.mk
index 26c257213b..d4fdab0f5d 100644
--- a/package/rt-tests/rt-tests.mk
+++ b/package/rt-tests/rt-tests.mk
@@ -10,6 +10,7 @@ RT_TESTS_VERSION = 1.9
 RT_TESTS_LICENSE = GPL-2.0+
 RT_TESTS_LICENSE_FILES = COPYING
 RT_TESTS_DEPENDENCIES = numactl
+RT_TESTS_CPE_ID_VENDOR = kernel
 
 define RT_TESTS_BUILD_CMDS
 	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) \
diff --git a/package/sed/sed.mk b/package/sed/sed.mk
index 6bb3220553..64fb2035b0 100644
--- a/package/sed/sed.mk
+++ b/package/sed/sed.mk
@@ -9,6 +9,7 @@ SED_SOURCE = sed-$(SED_VERSION).tar.xz
 SED_SITE = $(BR2_GNU_MIRROR)/sed
 SED_LICENSE = GPL-3.0
 SED_LICENSE_FILES = COPYING
+SED_CPE_ID_VENDOR = gnu
 
 SED_CONF_OPTS = \
 	--bindir=/bin \
diff --git a/package/setools/setools.mk b/package/setools/setools.mk
index c1a3a909cb..a07b1367a2 100644
--- a/package/setools/setools.mk
+++ b/package/setools/setools.mk
@@ -10,6 +10,7 @@ SETOOLS_DEPENDENCIES = libselinux libsepol python-setuptools host-bison host-fle
 SETOOLS_INSTALL_STAGING = YES
 SETOOLS_LICENSE = GPL-2.0+, LGPL-2.1+
 SETOOLS_LICENSE_FILES = COPYING COPYING.GPL COPYING.LGPL
+SETOOLS_CPE_ID_VENDOR = selinuxproject
 SETOOLS_SETUP_TYPE = setuptools
 HOST_SETOOLS_DEPENDENCIES = host-python3-cython host-libselinux host-libsepol host-python-networkx
 HOST_SETOOLS_NEEDS_HOST_PYTHON = python3
diff --git a/package/setserial/setserial.mk b/package/setserial/setserial.mk
index 66ca59d79d..2e29e4c803 100644
--- a/package/setserial/setserial.mk
+++ b/package/setserial/setserial.mk
@@ -10,6 +10,7 @@ SETSERIAL_SOURCE = setserial_$(SETSERIAL_VERSION).orig.tar.gz
 SETSERIAL_SITE = http://snapshot.debian.org/archive/debian/20141023T043132Z/pool/main/s/setserial
 SETSERIAL_LICENSE = GPL-2.0
 SETSERIAL_LICENSE_FILES = debian/copyright
+
 # make all also builds setserial.cat which needs nroff
 SETSERIAL_MAKE_OPTS = setserial
 
diff --git a/package/smcroute/smcroute.mk b/package/smcroute/smcroute.mk
index 1a36c75d47..0db0e084f6 100644
--- a/package/smcroute/smcroute.mk
+++ b/package/smcroute/smcroute.mk
@@ -9,6 +9,7 @@ SMCROUTE_SOURCE = smcroute-$(SMCROUTE_VERSION).tar.xz
 SMCROUTE_SITE = https://github.com/troglobit/smcroute/releases/download/$(SMCROUTE_VERSION)
 SMCROUTE_LICENSE = GPL-2.0+
 SMCROUTE_LICENSE_FILES = COPYING
+SMCROUTE_CPE_ID_VENDOR = troglobit
 
 SMCROUTE_CONF_OPTS = ac_cv_func_setpgrp_void=yes
 #BUG:The package Makefile uses CC?= even though the package is autotools based
diff --git a/package/spawn-fcgi/spawn-fcgi.mk b/package/spawn-fcgi/spawn-fcgi.mk
index ed97d0a7b4..8caa1e2b3c 100644
--- a/package/spawn-fcgi/spawn-fcgi.mk
+++ b/package/spawn-fcgi/spawn-fcgi.mk
@@ -9,5 +9,6 @@ SPAWN_FCGI_SITE = http://www.lighttpd.net/download
 SPAWN_FCGI_SOURCE = spawn-fcgi-$(SPAWN_FCGI_VERSION).tar.bz2
 SPAWN_FCGI_LICENSE = BSD-3-Clause
 SPAWN_FCGI_LICENSE_FILES = COPYING
+SPAWN_FCGI_CPE_ID_VENDOR = lighttpd
 
 $(eval $(autotools-package))
diff --git a/package/sqlite/sqlite.mk b/package/sqlite/sqlite.mk
index c8b9ba3150..796292178c 100644
--- a/package/sqlite/sqlite.mk
+++ b/package/sqlite/sqlite.mk
@@ -5,11 +5,13 @@
 ################################################################################
 
 SQLITE_VERSION = 3320300
+SQLITE_CPE_ID_VERSION = 3.31.1
 SQLITE_SOURCE = sqlite-autoconf-$(SQLITE_VERSION).tar.gz
 SQLITE_SITE = https://www.sqlite.org/2020
 SQLITE_LICENSE = Public domain
 SQLITE_LICENSE_FILES = tea/license.terms
 SQLITE_INSTALL_STAGING = YES
+SQLITE_CPE_ID_VENDOR = $(SQLITE_NAME)
 
 ifeq ($(BR2_PACKAGE_SQLITE_STAT4),y)
 SQLITE_CFLAGS += -DSQLITE_ENABLE_STAT4
diff --git a/package/strongswan/strongswan.mk b/package/strongswan/strongswan.mk
index a0290c5bf6..e0e8bb0ce8 100644
--- a/package/strongswan/strongswan.mk
+++ b/package/strongswan/strongswan.mk
@@ -9,6 +9,7 @@ STRONGSWAN_SOURCE = strongswan-$(STRONGSWAN_VERSION).tar.bz2
 STRONGSWAN_SITE = http://download.strongswan.org
 STRONGSWAN_LICENSE = GPL-2.0+
 STRONGSWAN_LICENSE_FILES = COPYING LICENSE
+STRONGSWAN_CPE_ID_VENDOR = $(STRONGSWAN_NAME)
 STRONGSWAN_DEPENDENCIES = host-pkgconf
 STRONGSWAN_INSTALL_STAGING = YES
 STRONGSWAN_CONF_OPTS += \
diff --git a/package/tar/tar.mk b/package/tar/tar.mk
index 9e0a40e561..643eff1cbc 100644
--- a/package/tar/tar.mk
+++ b/package/tar/tar.mk
@@ -12,6 +12,7 @@ TAR_SITE = $(BR2_GNU_MIRROR)/tar
 TAR_CONF_OPTS = --exec-prefix=/
 TAR_LICENSE = GPL-3.0+
 TAR_LICENSE_FILES = COPYING
+TAR_CPE_ID_VENDOR = gnu
 
 ifeq ($(BR2_PACKAGE_ACL),y)
 TAR_DEPENDENCIES += acl
diff --git a/package/tcl/tcl.mk b/package/tcl/tcl.mk
index 6d750b3cd2..913891e897 100644
--- a/package/tcl/tcl.mk
+++ b/package/tcl/tcl.mk
@@ -10,6 +10,7 @@ TCL_SOURCE = tcl$(TCL_VERSION)-src.tar.gz
 TCL_SITE = http://downloads.sourceforge.net/project/tcl/Tcl/$(TCL_VERSION)
 TCL_LICENSE = TCL
 TCL_LICENSE_FILES = license.terms
+TCL_CPE_ID_VENDOR = $(TCL_NAME)
 TCL_SUBDIR = unix
 TCL_INSTALL_STAGING = YES
 TCL_AUTORECONF = YES
diff --git a/package/tcpdump/tcpdump.mk b/package/tcpdump/tcpdump.mk
index 01a46b9b5f..9687e3c497 100644
--- a/package/tcpdump/tcpdump.mk
+++ b/package/tcpdump/tcpdump.mk
@@ -8,6 +8,7 @@ TCPDUMP_VERSION = 4.9.3
 TCPDUMP_SITE = http://www.tcpdump.org/release
 TCPDUMP_LICENSE = BSD-3-Clause
 TCPDUMP_LICENSE_FILES = LICENSE
+TCPDUMP_CPE_ID_VENDOR = $(TCPDUMP_NAME)
 TCPDUMP_CONF_ENV = \
 	ac_cv_linux_vers=2 \
 	td_cv_buggygetaddrinfo=no \
diff --git a/package/tftpd/tftpd.mk b/package/tftpd/tftpd.mk
index 57905fda05..301a222e39 100644
--- a/package/tftpd/tftpd.mk
+++ b/package/tftpd/tftpd.mk
@@ -10,6 +10,8 @@ TFTPD_SITE = $(BR2_KERNEL_MIRROR)/software/network/tftp/tftp-hpa
 TFTPD_CONF_OPTS = --without-tcpwrappers
 TFTPD_LICENSE = BSD-4-Clause
 TFTPD_LICENSE_FILES = tftpd/tftpd.c
+TFTPD_CPE_ID_VENDOR = $(TFTPD_NAME)-hpa_project
+TFTPD_CPE_ID_NAME = $(TFTPD_NAME)-hpa
 
 define TFTPD_INSTALL_TARGET_CMDS
 	$(INSTALL) -D $(@D)/tftp/tftp $(TARGET_DIR)/usr/bin/tftp
diff --git a/package/uboot-tools/uboot-tools.mk b/package/uboot-tools/uboot-tools.mk
index 6aa7cba2dd..3a8e21ec9b 100644
--- a/package/uboot-tools/uboot-tools.mk
+++ b/package/uboot-tools/uboot-tools.mk
@@ -9,6 +9,8 @@ UBOOT_TOOLS_SOURCE = u-boot-$(UBOOT_TOOLS_VERSION).tar.bz2
 UBOOT_TOOLS_SITE = ftp://ftp.denx.de/pub/u-boot
 UBOOT_TOOLS_LICENSE = GPL-2.0+
 UBOOT_TOOLS_LICENSE_FILES = Licenses/gpl-2.0.txt
+UBOOT_TOOLS_CPE_ID_VENDOR = denx
+UBOOT_TOOLS_CPE_ID_NAME = u-boot
 UBOOT_TOOLS_INSTALL_STAGING = YES
 
 # u-boot 2020.01+ needs make 4.0+
diff --git a/package/util-linux/util-linux.mk b/package/util-linux/util-linux.mk
index 0b29ef4d6f..46d7474b7f 100644
--- a/package/util-linux/util-linux.mk
+++ b/package/util-linux/util-linux.mk
@@ -23,6 +23,7 @@ UTIL_LINUX_LICENSE_FILES = README.licensing \
 	Documentation/licenses/COPYING.ISC \
 	Documentation/licenses/COPYING.LGPL-2.1-or-later
 
+UTIL_LINUX_CPE_ID_VENDOR = kernel
 UTIL_LINUX_INSTALL_STAGING = YES
 UTIL_LINUX_DEPENDENCIES = \
 	host-pkgconf \
diff --git a/package/valgrind/valgrind.mk b/package/valgrind/valgrind.mk
index 7fd3278614..7d0070a974 100644
--- a/package/valgrind/valgrind.mk
+++ b/package/valgrind/valgrind.mk
@@ -9,6 +9,7 @@ VALGRIND_SITE = https://sourceware.org/pub/valgrind
 VALGRIND_SOURCE = valgrind-$(VALGRIND_VERSION).tar.bz2
 VALGRIND_LICENSE = GPL-2.0, GFDL-1.2
 VALGRIND_LICENSE_FILES = COPYING COPYING.DOCS
+VALGRIND_CPE_ID_VENDOR = $(VALGRIND_NAME)
 VALGRIND_CONF_OPTS = \
 	--disable-ubsan \
 	--without-mpicc
diff --git a/package/vim/vim.mk b/package/vim/vim.mk
index 1fbb6a6b86..2bd3d437e4 100644
--- a/package/vim/vim.mk
+++ b/package/vim/vim.mk
@@ -23,6 +23,7 @@ VIM_CONF_ENV = \
 VIM_CONF_OPTS = --with-tlib=ncurses --enable-gui=no --without-x
 VIM_LICENSE = Charityware
 VIM_LICENSE_FILES = README.txt
+VIM_CPE_ID_VENDOR = $(VIM_NAME)
 
 ifeq ($(BR2_PACKAGE_ACL),y)
 VIM_CONF_OPTS += --enable-acl
diff --git a/package/wget/wget.mk b/package/wget/wget.mk
index ed3f1fdff9..65c132e453 100644
--- a/package/wget/wget.mk
+++ b/package/wget/wget.mk
@@ -10,6 +10,7 @@ WGET_SITE = $(BR2_GNU_MIRROR)/wget
 WGET_DEPENDENCIES = host-pkgconf
 WGET_LICENSE = GPL-3.0+
 WGET_LICENSE_FILES = COPYING
+WGET_CPE_ID_VENDOR = gnu
 
 ifeq ($(BR2_PACKAGE_GNUTLS),y)
 WGET_CONF_OPTS += --with-ssl=gnutls
diff --git a/package/wireless-regdb/wireless-regdb.mk b/package/wireless-regdb/wireless-regdb.mk
index 52a0e0cffc..aaab7fc28b 100644
--- a/package/wireless-regdb/wireless-regdb.mk
+++ b/package/wireless-regdb/wireless-regdb.mk
@@ -9,6 +9,7 @@ WIRELESS_REGDB_SOURCE = wireless-regdb-$(WIRELESS_REGDB_VERSION).tar.xz
 WIRELESS_REGDB_SITE = $(BR2_KERNEL_MIRROR)/software/network/wireless-regdb
 WIRELESS_REGDB_LICENSE = ISC
 WIRELESS_REGDB_LICENSE_FILES = LICENSE
+WIRELESS_REGDB_CPE_ID_VENDOR = kernel
 
 ifeq ($(BR2_PACKAGE_CRDA),y)
 define  WIRELESS_REGDB_INSTALL_CRDA_TARGET_CMDS
diff --git a/package/wireless_tools/wireless_tools.mk b/package/wireless_tools/wireless_tools.mk
index b87ab20fb2..01d03218d6 100644
--- a/package/wireless_tools/wireless_tools.mk
+++ b/package/wireless_tools/wireless_tools.mk
@@ -10,6 +10,8 @@ WIRELESS_TOOLS_SITE = https://hewlettpackard.github.io/wireless-tools
 WIRELESS_TOOLS_SOURCE = wireless_tools.$(WIRELESS_TOOLS_VERSION).tar.gz
 WIRELESS_TOOLS_LICENSE = GPL-2.0
 WIRELESS_TOOLS_LICENSE_FILES = COPYING
+WIRELESS_TOOLS_CPE_ID_VERSION = $(WIRELESS_TOOLS_VERSION_MAJOR)
+WIRELESS_TOOLS_CPE_ID_VERSION_MINOR = pre9
 WIRELESS_TOOLS_INSTALL_STAGING = YES
 
 WIRELESS_TOOLS_BUILD_TARGETS = iwmulticall
diff --git a/package/wpa_supplicant/wpa_supplicant.mk b/package/wpa_supplicant/wpa_supplicant.mk
index 7170db0d07..955f7fb98f 100644
--- a/package/wpa_supplicant/wpa_supplicant.mk
+++ b/package/wpa_supplicant/wpa_supplicant.mk
@@ -8,6 +8,7 @@ WPA_SUPPLICANT_VERSION = 2.9
 WPA_SUPPLICANT_SITE = http://w1.fi/releases
 WPA_SUPPLICANT_LICENSE = BSD-3-Clause
 WPA_SUPPLICANT_LICENSE_FILES = README
+WPA_SUPPLICANT_CPE_ID_VENDOR = w1.fi
 WPA_SUPPLICANT_CONFIG = $(WPA_SUPPLICANT_DIR)/wpa_supplicant/.config
 WPA_SUPPLICANT_SUBDIR = wpa_supplicant
 WPA_SUPPLICANT_DBUS_OLD_SERVICE = fi.epitest.hostap.WPASupplicant
diff --git a/package/xerces/xerces.mk b/package/xerces/xerces.mk
index ae42b1e62f..5caf421132 100644
--- a/package/xerces/xerces.mk
+++ b/package/xerces/xerces.mk
@@ -9,6 +9,8 @@ XERCES_SOURCE = xerces-c-$(XERCES_VERSION).tar.xz
 XERCES_SITE = http://archive.apache.org/dist/xerces/c/3/sources
 XERCES_LICENSE = Apache-2.0
 XERCES_LICENSE_FILES = LICENSE
+XERCES_CPE_ID_VENDOR = apache
+XERCES_CPE_ID_NAME = $(XERCES_NAME)-c\+\+
 XERCES_INSTALL_STAGING = YES
 
 define XERCES_DISABLE_SAMPLES
diff --git a/package/xz/xz.mk b/package/xz/xz.mk
index 487dac461b..ffbae4c873 100644
--- a/package/xz/xz.mk
+++ b/package/xz/xz.mk
@@ -11,6 +11,7 @@ XZ_INSTALL_STAGING = YES
 XZ_CONF_ENV = ac_cv_prog_cc_c99='-std=gnu99'
 XZ_LICENSE = Public Domain, GPL-2.0+, GPL-3.0+, LGPL-2.1+
 XZ_LICENSE_FILES = COPYING COPYING.GPLv2 COPYING.GPLv3 COPYING.LGPLv2.1
+XZ_CPE_ID_VENDOR = tukaani
 
 ifeq ($(BR2_TOOLCHAIN_HAS_THREADS),y)
 XZ_CONF_OPTS = --enable-threads
-- 
2.26.2

[Buildroot] [PATCH 10/10] package: provide CPE ID details for numerous packages

[Alexander Dahl]

Hello Thomas,

I just wanted to know what a CPE ID is and how a change in hundred
packages look, so I had a quick glance and stumbled over two things ?

On Wed, Nov 04, 2020 at 03:51:44PM +0100, Thomas Petazzoni wrote:
> From: Matt Weber <matthew.weber@rockwellcollins.com>
> 
> This patch adds CPE ID information for a significant number of
> packages.
> 
> Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> ---
>  boot/grub2/grub2.mk                                   |  1 +
>  boot/uboot/uboot.mk                                   |  2 ++
>  linux/linux.mk                                        |  2 ++
>  package/audit/audit.mk                                |  2 ++
>  package/aufs/aufs.mk                                  |  1 +
>  package/bash/bash.mk                                  |  1 +
>  package/bc/bc.mk                                      |  1 +
>  package/bind/bind.mk                                  |  1 +
>  package/boost/boost.mk                                |  1 +
>  package/bridge-utils/bridge-utils.mk                  |  1 +
>  package/busybox/busybox.mk                            |  1 +
>  package/bzip2/bzip2.mk                                |  1 +
>  package/clang/clang.mk                                |  1 +
>  package/collectd/collectd.mk                          |  1 +
>  package/conntrack-tools/conntrack-tools.mk            |  1 +
>  package/coreutils/coreutils.mk                        |  1 +
>  package/crda/crda.mk                                  |  1 +
>  package/davici/davici.mk                              |  1 +
>  package/dbus-glib/dbus-glib.mk                        |  1 +
>  package/dbus/dbus.mk                                  |  2 ++
>  package/dhcp/dhcp.mk                                  |  1 +
>  package/dnsmasq/dnsmasq.mk                            |  1 +
>  package/dropbear/dropbear.mk                          |  2 ++
>  package/ebtables/ebtables.mk                          |  1 +
>  package/ethtool/ethtool.mk                            |  1 +
>  package/expat/expat.mk                                |  1 +
>  package/gdb/gdb.mk                                    |  1 +
>  package/gesftpserver/gesftpserver.mk                  |  2 ++
>  package/glibc/glibc.mk                                |  1 +
>  package/gmp/gmp.mk                                    |  1 +
>  package/gnupg/gnupg.mk                                |  1 +
>  package/gnutls/gnutls.mk                              |  1 +
>  package/grep/grep.mk                                  |  1 +
>  package/gtest/gtest.mk                                |  2 ++
>  package/gzip/gzip.mk                                  |  1 +
>  package/hostapd/hostapd.mk                            |  1 +
>  package/ifupdown/ifupdown.mk                          |  1 +
>  package/iperf/iperf.mk                                |  2 ++
>  package/iperf3/iperf3.mk                              |  1 +
>  package/ipset/ipset.mk                                |  1 +
>  package/iptables/iptables.mk                          |  1 +
>  package/iw/iw.mk                                      |  1 +
>  package/kmod/kmod.mk                                  |  2 ++
>  package/libarchive/libarchive.mk                      |  1 +
>  package/libcurl/libcurl.mk                            |  2 ++
>  package/libestr/libestr.mk                            |  1 +
>  package/libfastjson/libfastjson.mk                    |  1 +
>  package/libfcgi/libfcgi.mk                            |  2 ++
>  package/libffi/libffi.mk                              |  2 ++
>  package/libgcrypt/libgcrypt.mk                        |  1 +
>  package/libglib2/libglib2.mk                          |  2 ++
>  package/libgpg-error/libgpg-error.mk                  |  1 +
>  package/liblogging/liblogging.mk                      |  1 +
>  package/libmbim/libmbim.mk                            |  1 +
>  package/libmnl/libmnl.mk                              |  1 +
>  .../libnetfilter_conntrack/libnetfilter_conntrack.mk  |  1 +
>  .../libnetfilter_cthelper/libnetfilter_cthelper.mk    |  1 +
>  .../libnetfilter_cttimeout/libnetfilter_cttimeout.mk  |  1 +
>  package/libnetfilter_queue/libnetfilter_queue.mk      |  1 +
>  package/libnfnetlink/libnfnetlink.mk                  |  1 +
>  package/libopenssl/Config.in                          | 11 +++++++++++
>  package/libopenssl/libopenssl.mk                      |  2 ++
>  package/libpcap/libpcap.mk                            |  1 +
>  package/libselinux/libselinux.mk                      |  1 +
>  package/libsemanage/libsemanage.mk                    |  1 +
>  package/libsepol/libsepol.mk                          |  1 +
>  package/libssh2/libssh2.mk                            |  1 +
>  package/libsysfs/libsysfs.mk                          |  2 ++
>  package/libtasn1/libtasn1.mk                          |  1 +
>  package/libunistring/libunistring.mk                  |  1 +
>  package/libxml2/libxml2.mk                            |  1 +
>  package/libxslt/libxslt.mk                            |  1 +
>  package/libzlib/libzlib.mk                            |  2 ++
>  package/lighttpd/lighttpd.mk                          |  1 +
>  package/linux-firmware/linux-firmware.mk              |  2 ++
>  package/linux-headers/linux-headers.mk                |  2 ++
>  package/linux-pam/linux-pam.mk                        |  2 ++
>  package/llvm/llvm.mk                                  |  1 +
>  package/lxc/lxc.mk                                    |  1 +
>  package/lz4/lz4.mk                                    |  1 +
>  package/memtester/memtester.mk                        |  1 +
>  package/mii-diag/mii-diag.mk                          |  1 +
>  package/mpfr/mpfr.mk                                  |  1 +
>  package/mrouted/mrouted.mk                            |  1 +
>  package/mtd/mtd.mk                                    |  2 ++
>  package/ncurses/ncurses.mk                            |  1 +
>  package/netsnmp/netsnmp.mk                            |  2 ++
>  package/nfs-utils/nfs-utils.mk                        |  2 ++
>  package/openssh/openssh.mk                            |  3 +++
>  package/pax-utils/pax-utils.mk                        |  1 +
>  package/paxtest/paxtest.mk                            |  1 +
>  package/pcre/pcre.mk                                  |  1 +
>  package/pixman/pixman.mk                              |  1 +
>  package/policycoreutils/policycoreutils.mk            |  1 +
>  package/pppd/pppd.mk                                  |  2 ++
>  package/proftpd/proftpd.mk                            |  1 +
>  package/protobuf/protobuf.mk                          |  1 +
>  package/pure-ftpd/pure-ftpd.mk                        |  1 +
>  package/python-lxml/python-lxml.mk                    |  2 ++
>  package/python-setuptools/python-setuptools.mk        |  2 ++
>  package/python/python.mk                              |  1 +
>  package/qemu/qemu.mk                                  |  1 +
>  package/rapidjson/rapidjson.mk                        |  1 +
>  package/readline/readline.mk                          |  1 +
>  package/refpolicy/refpolicy.mk                        |  1 +
>  package/rsyslog/rsyslog.mk                            |  1 +
>  package/rt-tests/rt-tests.mk                          |  1 +
>  package/sed/sed.mk                                    |  1 +
>  package/setools/setools.mk                            |  1 +
>  package/setserial/setserial.mk                        |  1 +
>  package/smcroute/smcroute.mk                          |  1 +
>  package/spawn-fcgi/spawn-fcgi.mk                      |  1 +
>  package/sqlite/sqlite.mk                              |  2 ++
>  package/strongswan/strongswan.mk                      |  1 +
>  package/tar/tar.mk                                    |  1 +
>  package/tcl/tcl.mk                                    |  1 +
>  package/tcpdump/tcpdump.mk                            |  1 +
>  package/tftpd/tftpd.mk                                |  2 ++
>  package/uboot-tools/uboot-tools.mk                    |  2 ++
>  package/util-linux/util-linux.mk                      |  1 +
>  package/valgrind/valgrind.mk                          |  1 +
>  package/vim/vim.mk                                    |  1 +
>  package/wget/wget.mk                                  |  1 +
>  package/wireless-regdb/wireless-regdb.mk              |  1 +
>  package/wireless_tools/wireless_tools.mk              |  2 ++
>  package/wpa_supplicant/wpa_supplicant.mk              |  1 +
>  package/xerces/xerces.mk                              |  2 ++
>  package/xz/xz.mk                                      |  1 +
>  128 files changed, 170 insertions(+)
> 
> diff --git a/boot/grub2/grub2.mk b/boot/grub2/grub2.mk
> index 5fca2315ee..9686815f4d 100644
> --- a/boot/grub2/grub2.mk
> +++ b/boot/grub2/grub2.mk
> @@ -37,6 +37,7 @@ GRUB2_INSTALL_TARGET = YES
>  else
>  GRUB2_INSTALL_TARGET = NO
>  endif
> +GRUB2_CPE_ID_VENDOR = gnu
>  
>  GRUB2_BUILTIN_MODULES = $(call qstrip,$(BR2_TARGET_GRUB2_BUILTIN_MODULES))
>  GRUB2_BUILTIN_CONFIG = $(call qstrip,$(BR2_TARGET_GRUB2_BUILTIN_CONFIG))
> diff --git a/boot/uboot/uboot.mk b/boot/uboot/uboot.mk
> index 72d5df412d..2028fb1167 100644
> --- a/boot/uboot/uboot.mk
> +++ b/boot/uboot/uboot.mk
> @@ -11,6 +11,8 @@ UBOOT_LICENSE = GPL-2.0+
>  ifeq ($(BR2_TARGET_UBOOT_LATEST_VERSION),y)
>  UBOOT_LICENSE_FILES = Licenses/gpl-2.0.txt
>  endif
> +UBOOT_CPE_ID_VENDOR = denx
> +UBOOT_CPE_ID_NAME = u-boot
>  
>  UBOOT_INSTALL_IMAGES = YES
>  
> diff --git a/linux/linux.mk b/linux/linux.mk
> index e07e014d1e..648f6ea2a5 100644
> --- a/linux/linux.mk
> +++ b/linux/linux.mk
> @@ -12,6 +12,8 @@ LINUX_LICENSE_FILES = \
>  	LICENSES/preferred/GPL-2.0 \
>  	LICENSES/exceptions/Linux-syscall-note
>  endif
> +LINUX_CPE_ID_VENDOR = $(LINUX_NAME)
> +LINUX_CPE_ID_NAME = $(LINUX_NAME)_kernel
>  
>  define LINUX_HELP_CMDS
>  	@echo '  linux-menuconfig       - Run Linux kernel menuconfig'
> diff --git a/package/audit/audit.mk b/package/audit/audit.mk
> index 652e0fcd56..a20767d24b 100644
> --- a/package/audit/audit.mk
> +++ b/package/audit/audit.mk
> @@ -10,6 +10,8 @@ AUDIT_LICENSE = GPL-2.0+ (programs), LGPL-2.1+ (libraries)
>  AUDIT_LICENSE_FILES = COPYING COPYING.LIB
>  # 0002-Add-substitue-functions-for-strndupa-rawmemchr.patch
>  AUDIT_AUTORECONF = YES
> +AUDIT_CPE_ID_VENDOR = linux_audit_project
> +AUDIT_CPE_ID_NAME = linux_audit
>  
>  AUDIT_INSTALL_STAGING = YES
>  
> diff --git a/package/aufs/aufs.mk b/package/aufs/aufs.mk
> index 4e95a350a0..495e94e606 100644
> --- a/package/aufs/aufs.mk
> +++ b/package/aufs/aufs.mk
> @@ -7,6 +7,7 @@
>  AUFS_VERSION = $(call qstrip,$(BR2_PACKAGE_AUFS_VERSION))
>  AUFS_LICENSE = GPL-2.0
>  AUFS_LICENSE_FILES = COPYING
> +AUFS_CPE_ID_VERSION = 4.1
>  
>  ifeq ($(BR2_PACKAGE_AUFS_SERIES),3)
>  AUFS_SITE = http://git.code.sf.net/p/aufs/aufs3-standalone
> diff --git a/package/bash/bash.mk b/package/bash/bash.mk
> index 1843862e49..b4681c1085 100644
> --- a/package/bash/bash.mk
> +++ b/package/bash/bash.mk
> @@ -10,6 +10,7 @@ BASH_DEPENDENCIES = ncurses readline host-bison
>  BASH_CONF_OPTS = --with-installed-readline --without-bash-malloc
>  BASH_LICENSE = GPL-3.0+
>  BASH_LICENSE_FILES = COPYING
> +BASH_CPE_ID_VENDOR = gnu
>  
>  BASH_CONF_ENV += \
>  	ac_cv_rl_prefix="$(STAGING_DIR)" \
> diff --git a/package/bc/bc.mk b/package/bc/bc.mk
> index fdfacb6c89..06b6feae4f 100644
> --- a/package/bc/bc.mk
> +++ b/package/bc/bc.mk
> @@ -9,6 +9,7 @@ BC_SITE = http://ftp.gnu.org/gnu/bc
>  BC_DEPENDENCIES = host-flex
>  BC_LICENSE = GPL-2.0+, LGPL-2.1+
>  BC_LICENSE_FILES = COPYING COPYING.LIB
> +BC_CPE_ID_VENDOR = gnu
>  BC_CONF_ENV = MAKEINFO=true
>  
>  # 0001-bc-use-MAKEINFO-variable-for-docs.patch and 0004-no-gen-libmath.patch
> diff --git a/package/bind/bind.mk b/package/bind/bind.mk
> index 18fc4845f9..41b3146da1 100644
> --- a/package/bind/bind.mk
> +++ b/package/bind/bind.mk
> @@ -12,6 +12,7 @@ BIND_INSTALL_STAGING = YES
>  BIND_CONFIG_SCRIPTS = bind9-config isc-config.sh
>  BIND_LICENSE = MPL-2.0
>  BIND_LICENSE_FILES = COPYRIGHT
> +BIND_CPE_ID_VENDOR = isc
>  BIND_TARGET_SERVER_SBIN = arpaname ddns-confgen dnssec-checkds dnssec-coverage
>  BIND_TARGET_SERVER_SBIN += dnssec-importkey dnssec-keygen dnssec-revoke
>  BIND_TARGET_SERVER_SBIN += dnssec-settime dnssec-verify genrandom
> diff --git a/package/boost/boost.mk b/package/boost/boost.mk
> index 82fe42d6b2..d5c404a13c 100644
> --- a/package/boost/boost.mk
> +++ b/package/boost/boost.mk
> @@ -10,6 +10,7 @@ BOOST_SITE = https://dl.bintray.com/boostorg/release/$(BOOST_VERSION)/source
>  BOOST_INSTALL_STAGING = YES
>  BOOST_LICENSE = BSL-1.0
>  BOOST_LICENSE_FILES = LICENSE_1_0.txt
> +BOOST_CPE_ID_VENDOR = $(BOOST_NAME)
>  
>  # CVE-2009-3654 is misclassified (by our CVE tracker) as affecting to boost,
>  # while in fact it affects Drupal (a module called boost in there).
> diff --git a/package/bridge-utils/bridge-utils.mk b/package/bridge-utils/bridge-utils.mk
> index 9d63b3ef30..fa71c3a64e 100644
> --- a/package/bridge-utils/bridge-utils.mk
> +++ b/package/bridge-utils/bridge-utils.mk
> @@ -10,6 +10,7 @@ BRIDGE_UTILS_SITE = \
>  BRIDGE_UTILS_AUTORECONF = YES
>  BRIDGE_UTILS_LICENSE = GPL-2.0+
>  BRIDGE_UTILS_LICENSE_FILES = COPYING
> +BRIDGE_UTILS_CPE_ID_VENDOR = kernel
>  
>  # Avoid using the host's headers. Location is not important as
>  # required headers will anyway be found from within the sysroot.
> diff --git a/package/busybox/busybox.mk b/package/busybox/busybox.mk
> index 8c8303a358..38c40eeb15 100644
> --- a/package/busybox/busybox.mk
> +++ b/package/busybox/busybox.mk
> @@ -9,6 +9,7 @@ BUSYBOX_SITE = http://www.busybox.net/downloads
>  BUSYBOX_SOURCE = busybox-$(BUSYBOX_VERSION).tar.bz2
>  BUSYBOX_LICENSE = GPL-2.0, bzip2-1.0.4
>  BUSYBOX_LICENSE_FILES = LICENSE archival/libarchive/bz/LICENSE
> +BUSYBOX_CPE_ID_VENDOR = $(BUSYBOX_NAME)
>  
>  define BUSYBOX_HELP_CMDS
>  	@echo '  busybox-menuconfig     - Run BusyBox menuconfig'
> diff --git a/package/bzip2/bzip2.mk b/package/bzip2/bzip2.mk
> index b4d8eea25e..c2e5f7610e 100644
> --- a/package/bzip2/bzip2.mk
> +++ b/package/bzip2/bzip2.mk
> @@ -9,6 +9,7 @@ BZIP2_SITE = https://sourceware.org/pub/bzip2
>  BZIP2_INSTALL_STAGING = YES
>  BZIP2_LICENSE = bzip2 license
>  BZIP2_LICENSE_FILES = LICENSE
> +BZIP2_CPE_ID_VENDOR = bzip
>  
>  ifeq ($(BR2_STATIC_LIBS),)
>  define BZIP2_BUILD_SHARED_CMDS
> diff --git a/package/clang/clang.mk b/package/clang/clang.mk
> index ceb7de9afa..bf1a362ccf 100644
> --- a/package/clang/clang.mk
> +++ b/package/clang/clang.mk
> @@ -10,6 +10,7 @@ CLANG_SITE = https://github.com/llvm/llvm-project/releases/download/llvmorg-$(CL
>  CLANG_SOURCE = clang-$(CLANG_VERSION).src.tar.xz
>  CLANG_LICENSE = Apache-2.0 with exceptions
>  CLANG_LICENSE_FILES = LICENSE.TXT
> +CLANG_CVE_ID_VENDOR = llvm

Is this supposed to be CLANG_CPE_ID_VENDOR instead?

>  CLANG_SUPPORTS_IN_SOURCE_BUILD = NO
>  CLANG_INSTALL_STAGING = YES
>  
> diff --git a/package/collectd/collectd.mk b/package/collectd/collectd.mk
> index 00e33f27df..83bf01109a 100644
> --- a/package/collectd/collectd.mk
> +++ b/package/collectd/collectd.mk
> @@ -12,6 +12,7 @@ COLLECTD_CONF_ENV = ac_cv_lib_yajl_yajl_alloc=yes
>  COLLECTD_INSTALL_STAGING = YES
>  COLLECTD_LICENSE = MIT (daemon, plugins), GPL-2.0 (plugins), LGPL-2.1 (plugins)
>  COLLECTD_LICENSE_FILES = COPYING
> +COLLECTD_CPE_ID_VENDOR = $(COLLECTD_NAME)
>  
>  # These require unmet dependencies, are fringe, pointless or deprecated
>  COLLECTD_PLUGINS_DISABLE = \
> diff --git a/package/conntrack-tools/conntrack-tools.mk b/package/conntrack-tools/conntrack-tools.mk
> index 145b6d785f..55ea407924 100644
> --- a/package/conntrack-tools/conntrack-tools.mk
> +++ b/package/conntrack-tools/conntrack-tools.mk
> @@ -12,6 +12,7 @@ CONNTRACK_TOOLS_DEPENDENCIES = host-pkgconf \
>  	libnetfilter_queue host-bison host-flex
>  CONNTRACK_TOOLS_LICENSE = GPL-2.0+
>  CONNTRACK_TOOLS_LICENSE_FILES = COPYING
> +CONNTRACK_TOOLS_CPE_ID_VENDOR = netfilter
>  
>  CONNTRACK_TOOLS_CFLAGS = $(TARGET_CFLAGS)
>  
> diff --git a/package/coreutils/coreutils.mk b/package/coreutils/coreutils.mk
> index 3866b76243..18e9052dfd 100644
> --- a/package/coreutils/coreutils.mk
> +++ b/package/coreutils/coreutils.mk
> @@ -9,6 +9,7 @@ COREUTILS_SITE = $(BR2_GNU_MIRROR)/coreutils
>  COREUTILS_SOURCE = coreutils-$(COREUTILS_VERSION).tar.xz
>  COREUTILS_LICENSE = GPL-3.0+
>  COREUTILS_LICENSE_FILES = COPYING
> +COREUTILS_CPE_ID_VENDOR = gnu
>  
>  COREUTILS_CONF_OPTS = --disable-rpath \
>  	$(if $(BR2_TOOLCHAIN_USES_MUSL),--with-included-regex)
> diff --git a/package/crda/crda.mk b/package/crda/crda.mk
> index c5880797be..31a64d004b 100644
> --- a/package/crda/crda.mk
> +++ b/package/crda/crda.mk
> @@ -9,6 +9,7 @@ CRDA_SITE = https://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/crda.git/snap
>  CRDA_DEPENDENCIES = host-pkgconf host-python-pycryptodomex libnl libgcrypt
>  CRDA_LICENSE = ISC
>  CRDA_LICENSE_FILES = LICENSE
> +CRDA_CPE_ID_VENDOR = kernel
>  
>  define CRDA_BUILD_CMDS
>  	$(TARGET_CONFIGURE_OPTS) \
> diff --git a/package/davici/davici.mk b/package/davici/davici.mk
> index 5c08bbe0da..6c8df48b6a 100644
> --- a/package/davici/davici.mk
> +++ b/package/davici/davici.mk
> @@ -8,6 +8,7 @@ DAVICI_VERSION = 1.3
>  DAVICI_SITE = $(call github,strongswan,davici,v$(DAVICI_VERSION))
>  DAVICI_LICENSE = LGPL-2.1+
>  DAVICI_LICENSE_FILES = COPYING
> +DAVICI_CPE_ID_VENDOR = strongswan
>  DAVICI_DEPENDENCIES = strongswan
>  DAVICI_INSTALL_STAGING = YES
>  DAVICI_AUTORECONF = YES
> diff --git a/package/dbus-glib/dbus-glib.mk b/package/dbus-glib/dbus-glib.mk
> index 372942e1c3..5eb158d954 100644
> --- a/package/dbus-glib/dbus-glib.mk
> +++ b/package/dbus-glib/dbus-glib.mk
> @@ -9,6 +9,7 @@ DBUS_GLIB_SITE = http://dbus.freedesktop.org/releases/dbus-glib
>  DBUS_GLIB_INSTALL_STAGING = YES
>  DBUS_GLIB_LICENSE = AFL-2.1 or GPL-2.0+
>  DBUS_GLIB_LICENSE_FILES = COPYING
> +DBUS_GLIB_CPE_ID_VENDOR = freedesktop
>  
>  DBUS_GLIB_CONF_ENV = \
>  	ac_cv_have_abstract_sockets=yes \
> diff --git a/package/dbus/dbus.mk b/package/dbus/dbus.mk
> index b58f1ddda3..279252bd78 100644
> --- a/package/dbus/dbus.mk
> +++ b/package/dbus/dbus.mk
> @@ -8,6 +8,8 @@ DBUS_VERSION = 1.12.18
>  DBUS_SITE = https://dbus.freedesktop.org/releases/dbus
>  DBUS_LICENSE = AFL-2.1 or GPL-2.0+ (library, tools), GPL-2.0+ (tools)
>  DBUS_LICENSE_FILES = COPYING
> +DBUS_CPE_ID_VENDOR = d-bus_project
> +DBUS_CPE_ID_NAME = d-bus
>  DBUS_INSTALL_STAGING = YES
>  
>  define DBUS_PERMISSIONS
> diff --git a/package/dhcp/dhcp.mk b/package/dhcp/dhcp.mk
> index ad59804d3b..988c7792dc 100644
> --- a/package/dhcp/dhcp.mk
> +++ b/package/dhcp/dhcp.mk
> @@ -10,6 +10,7 @@ DHCP_INSTALL_STAGING = YES
>  DHCP_LICENSE = MPL-2.0
>  DHCP_LICENSE_FILES = LICENSE
>  DHCP_DEPENDENCIES = bind
> +DHCP_CPE_ID_VENDOR = isc
>  
>  # use libtool-enabled configure.ac
>  define DHCP_LIBTOOL_AUTORECONF
> diff --git a/package/dnsmasq/dnsmasq.mk b/package/dnsmasq/dnsmasq.mk
> index 4a7218a2b7..e0e8bed5aa 100644
> --- a/package/dnsmasq/dnsmasq.mk
> +++ b/package/dnsmasq/dnsmasq.mk
> @@ -14,6 +14,7 @@ DNSMASQ_MAKE_OPTS += DESTDIR=$(TARGET_DIR) LDFLAGS="$(TARGET_LDFLAGS)" \
>  DNSMASQ_DEPENDENCIES = host-pkgconf $(TARGET_NLS_DEPENDENCIES)
>  DNSMASQ_LICENSE = GPL-2.0 or GPL-3.0
>  DNSMASQ_LICENSE_FILES = COPYING COPYING-v3
> +DNSMASQ_CPE_ID_VENDOR = thekelleys
>  
>  DNSMASQ_I18N = $(if $(BR2_SYSTEM_ENABLE_NLS),-i18n)
>  
> diff --git a/package/dropbear/dropbear.mk b/package/dropbear/dropbear.mk
> index 00992f0662..87c161f704 100644
> --- a/package/dropbear/dropbear.mk
> +++ b/package/dropbear/dropbear.mk
> @@ -11,6 +11,8 @@ DROPBEAR_LICENSE = MIT, BSD-2-Clause, Public domain
>  DROPBEAR_LICENSE_FILES = LICENSE
>  DROPBEAR_TARGET_BINS = dropbearkey dropbearconvert scp
>  DROPBEAR_PROGRAMS = dropbear $(DROPBEAR_TARGET_BINS)
> +DROPBEAR_CPE_ID_VENDOR = $(DROPBEAR_NAME)_ssh_project
> +DROPBEAR_CPE_ID_NAME = $(DROPBEAR_NAME)_ssh
>  
>  # Disable hardening flags added by dropbear configure.ac, and let
>  # Buildroot add them when the relevant options are enabled. This
> diff --git a/package/ebtables/ebtables.mk b/package/ebtables/ebtables.mk
> index e8b982206c..b94ac8541f 100644
> --- a/package/ebtables/ebtables.mk
> +++ b/package/ebtables/ebtables.mk
> @@ -8,6 +8,7 @@ EBTABLES_VERSION = 2.0.11
>  EBTABLES_SITE = http://ftp.netfilter.org/pub/ebtables
>  EBTABLES_LICENSE = GPL-2.0+
>  EBTABLES_LICENSE_FILES = COPYING
> +EBTABLES_CVE_ID_VENDOR = netfilter

Same here? CVE or CPE?

On all the other packages it is CPE, so maybe those two are just
typos?

Greets
Alex

>  
>  ifeq ($(BR2_PACKAGE_EBTABLES_UTILS_SAVE),y)
>  define EBTABLES_INSTALL_TARGET_UTILS_SAVE
> diff --git a/package/ethtool/ethtool.mk b/package/ethtool/ethtool.mk
> index 1668171f3a..0e94a918c2 100644
> --- a/package/ethtool/ethtool.mk
> +++ b/package/ethtool/ethtool.mk
> @@ -9,6 +9,7 @@ ETHTOOL_SOURCE = ethtool-$(ETHTOOL_VERSION).tar.xz
>  ETHTOOL_SITE = $(BR2_KERNEL_MIRROR)/software/network/ethtool
>  ETHTOOL_LICENSE = GPL-2.0
>  ETHTOOL_LICENSE_FILES = LICENSE COPYING
> +ETHTOOL_CPE_ID_VENDOR = kernel
>  ETHTOOL_CONF_OPTS = \
>  	$(if $(BR2_PACKAGE_ETHTOOL_PRETTY_PRINT),--enable-pretty-dump,--disable-pretty-dump)
>  
> diff --git a/package/expat/expat.mk b/package/expat/expat.mk
> index bb04ab1a90..201e18ae65 100644
> --- a/package/expat/expat.mk
> +++ b/package/expat/expat.mk
> @@ -12,6 +12,7 @@ EXPAT_DEPENDENCIES = host-pkgconf
>  HOST_EXPAT_DEPENDENCIES = host-pkgconf
>  EXPAT_LICENSE = MIT
>  EXPAT_LICENSE_FILES = COPYING
> +EXPAT_CPE_ID_VENDOR = libexpat
>  
>  EXPAT_CONF_OPTS = --without-docbook
>  HOST_EXPAT_CONF_OPTS = --without-docbook
> diff --git a/package/gdb/gdb.mk b/package/gdb/gdb.mk
> index f31b168bf1..b0a21c1d9f 100644
> --- a/package/gdb/gdb.mk
> +++ b/package/gdb/gdb.mk
> @@ -25,6 +25,7 @@ endif
>  
>  GDB_LICENSE = GPL-2.0+, LGPL-2.0+, GPL-3.0+, LGPL-3.0+
>  GDB_LICENSE_FILES = COPYING COPYING.LIB COPYING3 COPYING3.LIB
> +GDB_CPE_ID_VENDOR = gnu
>  
>  # On gdb < 10, if you want to build only gdbserver, you need to
>  # configure only gdb/gdbserver.
> diff --git a/package/gesftpserver/gesftpserver.mk b/package/gesftpserver/gesftpserver.mk
> index ff7ce768ae..07718a4c42 100644
> --- a/package/gesftpserver/gesftpserver.mk
> +++ b/package/gesftpserver/gesftpserver.mk
> @@ -12,6 +12,8 @@ GESFTPSERVER_LICENSE_FILES = COPYING
>  
>  # "Missing prototype" warning treated as error
>  GESFTPSERVER_CONF_OPTS = --disable-warnings-as-errors
> +GESFTPSERVER_CPE_ID_VENDOR = green_end
> +GESFTPSERVER_CPE_ID_NAME = sftpserver
>  
>  # forgets to link against pthread when cross compiling
>  GESFTPSERVER_CONF_ENV = LIBS=-lpthread
> diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
> index 4721177d83..7add82f9ce 100644
> --- a/package/glibc/glibc.mk
> +++ b/package/glibc/glibc.mk
> @@ -33,6 +33,7 @@ endif
>  
>  GLIBC_LICENSE = GPL-2.0+ (programs), LGPL-2.1+, BSD-3-Clause, MIT (library)
>  GLIBC_LICENSE_FILES = COPYING COPYING.LIB LICENSES
> +GLIBC_CPE_ID_VENDOR = gnu
>  
>  # glibc is part of the toolchain so disable the toolchain dependency
>  GLIBC_ADD_TOOLCHAIN_DEPENDENCY = NO
> diff --git a/package/gmp/gmp.mk b/package/gmp/gmp.mk
> index d124463a98..a79d5b7d9a 100644
> --- a/package/gmp/gmp.mk
> +++ b/package/gmp/gmp.mk
> @@ -10,6 +10,7 @@ GMP_SOURCE = gmp-$(GMP_VERSION).tar.xz
>  GMP_INSTALL_STAGING = YES
>  GMP_LICENSE = LGPL-3.0+ or GPL-2.0+
>  GMP_LICENSE_FILES = COPYING.LESSERv3 COPYINGv2
> +GMP_CPE_ID_VENDOR = gmplib
>  GMP_DEPENDENCIES = host-m4
>  HOST_GMP_DEPENDENCIES = host-m4
>  
> diff --git a/package/gnupg/gnupg.mk b/package/gnupg/gnupg.mk
> index 617def884e..ba424fed96 100644
> --- a/package/gnupg/gnupg.mk
> +++ b/package/gnupg/gnupg.mk
> @@ -10,6 +10,7 @@ GNUPG_SITE = https://gnupg.org/ftp/gcrypt/gnupg
>  GNUPG_LICENSE = GPL-3.0+
>  GNUPG_LICENSE_FILES = COPYING
>  GNUPG_DEPENDENCIES = zlib $(if $(BR2_PACKAGE_LIBICONV),libiconv)
> +GNUPG_CPE_ID_VENDOR = $(GNUPG_NAME)
>  GNUPG_CONF_ENV = ac_cv_sys_symbol_underscore=no
>  GNUPG_CONF_OPTS = \
>  	--disable-rpath \
> diff --git a/package/gnutls/gnutls.mk b/package/gnutls/gnutls.mk
> index 9f53150004..65bb4893e8 100644
> --- a/package/gnutls/gnutls.mk
> +++ b/package/gnutls/gnutls.mk
> @@ -17,6 +17,7 @@ GNUTLS_LICENSE_FILES += doc/COPYING
>  endif
>  
>  GNUTLS_DEPENDENCIES = host-pkgconf libtasn1 nettle pcre
> +GNUTLS_CPE_ID_VENDOR = gnu
>  GNUTLS_CONF_OPTS = \
>  	--disable-doc \
>  	--disable-guile \
> diff --git a/package/grep/grep.mk b/package/grep/grep.mk
> index bdc22fa46c..7a07f0b676 100644
> --- a/package/grep/grep.mk
> +++ b/package/grep/grep.mk
> @@ -9,6 +9,7 @@ GREP_SITE = $(BR2_GNU_MIRROR)/grep
>  GREP_SOURCE = grep-$(GREP_VERSION).tar.xz
>  GREP_LICENSE = GPL-3.0+
>  GREP_LICENSE_FILES = COPYING
> +GREP_CPE_ID_VENDOR = gnu
>  GREP_DEPENDENCIES = $(TARGET_NLS_DEPENDENCIES)
>  # install into /bin like busybox grep
>  GREP_CONF_OPTS = --exec-prefix=/
> diff --git a/package/gtest/gtest.mk b/package/gtest/gtest.mk
> index 7f967b8bfb..fc51d9f7a2 100644
> --- a/package/gtest/gtest.mk
> +++ b/package/gtest/gtest.mk
> @@ -10,6 +10,8 @@ GTEST_INSTALL_STAGING = YES
>  GTEST_INSTALL_TARGET = NO
>  GTEST_LICENSE = BSD-3-Clause
>  GTEST_LICENSE_FILES = googletest/LICENSE
> +GTEST_CPE_ID_VENDOR = google
> +GTEST_CPE_ID_NAME = google_test
>  
>  ifeq ($(BR2_PACKAGE_GTEST_GMOCK),y)
>  GTEST_DEPENDENCIES += host-gtest
> diff --git a/package/gzip/gzip.mk b/package/gzip/gzip.mk
> index 17b27b497c..c8fd3ddb7a 100644
> --- a/package/gzip/gzip.mk
> +++ b/package/gzip/gzip.mk
> @@ -11,6 +11,7 @@ GZIP_SITE = $(BR2_GNU_MIRROR)/gzip
>  GZIP_CONF_OPTS = --exec-prefix=/
>  GZIP_LICENSE = GPL-3.0+
>  GZIP_LICENSE_FILES = COPYING
> +GZIP_CPE_ID_VENDOR = gnu
>  GZIP_CONF_ENV += gl_cv_func_fflush_stdin=yes
>  HOST_GZIP_CONF_ENV += gl_cv_func_fflush_stdin=yes
>  # configure substitutes $(SHELL) for the shell shebang in scripts like
> diff --git a/package/hostapd/hostapd.mk b/package/hostapd/hostapd.mk
> index 676e36d8ba..efeefd8b35 100644
> --- a/package/hostapd/hostapd.mk
> +++ b/package/hostapd/hostapd.mk
> @@ -23,6 +23,7 @@ HOSTAPD_IGNORE_CVES += CVE-2019-16275
>  # 0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch
>  HOSTAPD_IGNORE_CVES += CVE-2020-12695
>  
> +HOSTAPD_CPE_ID_VENDOR = w1.fi
>  HOSTAPD_CONFIG_SET =
>  
>  HOSTAPD_CONFIG_ENABLE = \
> diff --git a/package/ifupdown/ifupdown.mk b/package/ifupdown/ifupdown.mk
> index 84d24aedab..e62c2a79c5 100644
> --- a/package/ifupdown/ifupdown.mk
> +++ b/package/ifupdown/ifupdown.mk
> @@ -9,6 +9,7 @@ IFUPDOWN_SOURCE = ifupdown_$(IFUPDOWN_VERSION).tar.xz
>  IFUPDOWN_SITE = http://snapshot.debian.org/archive/debian/20160922T165503Z/pool/main/i/ifupdown
>  IFUPDOWN_LICENSE = GPL-2.0+
>  IFUPDOWN_LICENSE_FILES = COPYING
> +IFUPDOWN_CPE_ID_VENDOR = debian
>  
>  define IFUPDOWN_BUILD_CMDS
>  	$(TARGET_MAKE_ENV) $(MAKE) $(TARGET_CONFIGURE_OPTS) \
> diff --git a/package/iperf/iperf.mk b/package/iperf/iperf.mk
> index 7088b0f152..f1e65e7545 100644
> --- a/package/iperf/iperf.mk
> +++ b/package/iperf/iperf.mk
> @@ -8,6 +8,8 @@ IPERF_VERSION = 2.0.13
>  IPERF_SITE = http://downloads.sourceforge.net/project/iperf2
>  IPERF_LICENSE = MIT-like
>  IPERF_LICENSE_FILES = COPYING
> +IPERF_CPE_ID_VENDOR = $(IPERF_NAME)2_project
> +IPERF_CPE_ID_NAME = $(IPERF_NAME)2
>  
>  IPERF_CONF_OPTS = \
>  	--disable-web100
> diff --git a/package/iperf3/iperf3.mk b/package/iperf3/iperf3.mk
> index f67fa17022..7d20b86e78 100644
> --- a/package/iperf3/iperf3.mk
> +++ b/package/iperf3/iperf3.mk
> @@ -9,6 +9,7 @@ IPERF3_SITE = https://downloads.es.net/pub/iperf
>  IPERF3_SOURCE = iperf-$(IPERF3_VERSION).tar.gz
>  IPERF3_LICENSE = BSD-3-Clause, BSD-2-Clause, MIT
>  IPERF3_LICENSE_FILES = LICENSE
> +IPERF3_CPE_ID_VENDOR = es
>  
>  IPERF3_CONF_ENV += CFLAGS="$(TARGET_CFLAGS) -D_GNU_SOURCE"
>  
> diff --git a/package/ipset/ipset.mk b/package/ipset/ipset.mk
> index 869763d322..cea3ee0e05 100644
> --- a/package/ipset/ipset.mk
> +++ b/package/ipset/ipset.mk
> @@ -11,6 +11,7 @@ IPSET_DEPENDENCIES = libmnl host-pkgconf
>  IPSET_CONF_OPTS = --with-kmod=no
>  IPSET_LICENSE = GPL-2.0
>  IPSET_LICENSE_FILES = COPYING
> +IPSET_CPE_ID_VENDOR = netfilter
>  IPSET_INSTALL_STAGING = YES
>  
>  $(eval $(autotools-package))
> diff --git a/package/iptables/iptables.mk b/package/iptables/iptables.mk
> index 442639f159..053d0e3964 100644
> --- a/package/iptables/iptables.mk
> +++ b/package/iptables/iptables.mk
> @@ -12,6 +12,7 @@ IPTABLES_DEPENDENCIES = host-pkgconf \
>  	$(if $(BR2_PACKAGE_LIBNETFILTER_CONNTRACK),libnetfilter_conntrack)
>  IPTABLES_LICENSE = GPL-2.0
>  IPTABLES_LICENSE_FILES = COPYING
> +IPTABLES_CPE_ID_VENDOR = netfilter
>  # Building static causes ugly warnings on some plugins
>  IPTABLES_CONF_OPTS = --libexecdir=/usr/lib --with-kernel=$(STAGING_DIR)/usr \
>  	$(if $(BR2_STATIC_LIBS),,--disable-static)
> diff --git a/package/iw/iw.mk b/package/iw/iw.mk
> index 2250ea413b..a232cc8baa 100644
> --- a/package/iw/iw.mk
> +++ b/package/iw/iw.mk
> @@ -9,6 +9,7 @@ IW_SOURCE = iw-$(IW_VERSION).tar.xz
>  IW_SITE = $(BR2_KERNEL_MIRROR)/software/network/iw
>  IW_LICENSE = ISC
>  IW_LICENSE_FILES = COPYING
> +IW_CPE_ID_VENDOR = kernel
>  IW_DEPENDENCIES = host-pkgconf libnl
>  IW_MAKE_ENV = \
>  	$(TARGET_MAKE_ENV) \
> diff --git a/package/kmod/kmod.mk b/package/kmod/kmod.mk
> index 69615452cf..d0f26a8841 100644
> --- a/package/kmod/kmod.mk
> +++ b/package/kmod/kmod.mk
> @@ -15,6 +15,8 @@ HOST_KMOD_DEPENDENCIES = host-pkgconf
>  KMOD_LICENSE = LGPL-2.1+ (library)
>  KMOD_LICENSE_FILES = libkmod/COPYING
>  
> +KMOD_CPE_ID_VENDOR = kernel
> +
>  # --gc-sections triggers binutils ld segfault
>  # https://sourceware.org/bugzilla/show_bug.cgi?id=21180
>  ifeq ($(BR2_microblaze),y)
> diff --git a/package/libarchive/libarchive.mk b/package/libarchive/libarchive.mk
> index 708ce637c2..71c8a2e4cf 100644
> --- a/package/libarchive/libarchive.mk
> +++ b/package/libarchive/libarchive.mk
> @@ -9,6 +9,7 @@ LIBARCHIVE_SITE = https://www.libarchive.de/downloads
>  LIBARCHIVE_INSTALL_STAGING = YES
>  LIBARCHIVE_LICENSE = BSD-2-Clause, BSD-3-Clause, CC0-1.0, OpenSSL, Apache-2.0
>  LIBARCHIVE_LICENSE_FILES = COPYING
> +LIBARCHIVE_CPE_ID_VENDOR = $(LIBARCHIVE_NAME)
>  
>  ifeq ($(BR2_PACKAGE_LIBARCHIVE_BSDTAR),y)
>  ifeq ($(BR2_STATIC_LIBS),y)
> diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk
> index 74ce3be654..40e2c8ec0e 100644
> --- a/package/libcurl/libcurl.mk
> +++ b/package/libcurl/libcurl.mk
> @@ -12,6 +12,8 @@ LIBCURL_DEPENDENCIES = host-pkgconf \
>  	$(if $(BR2_PACKAGE_RTMPDUMP),rtmpdump)
>  LIBCURL_LICENSE = curl
>  LIBCURL_LICENSE_FILES = COPYING
> +LIBCURL_CPE_ID_VENDOR = haxx
> +LIBCURL_CPE_ID_NAME = libcurl
>  LIBCURL_INSTALL_STAGING = YES
>  
>  # We disable NTLM support because it uses fork(), which doesn't work
> diff --git a/package/libestr/libestr.mk b/package/libestr/libestr.mk
> index 30960f7257..6ce22efae2 100644
> --- a/package/libestr/libestr.mk
> +++ b/package/libestr/libestr.mk
> @@ -8,6 +8,7 @@ LIBESTR_VERSION = 0.1.11
>  LIBESTR_SITE = http://libestr.adiscon.com/files/download
>  LIBESTR_LICENSE = LGPL-2.1+
>  LIBESTR_LICENSE_FILES = COPYING
> +LIBESTR_CPE_ID_VENDOR = adiscon
>  LIBESTR_INSTALL_STAGING = YES
>  
>  $(eval $(autotools-package))
> diff --git a/package/libfastjson/libfastjson.mk b/package/libfastjson/libfastjson.mk
> index ecca72f56c..37dbd7e03e 100644
> --- a/package/libfastjson/libfastjson.mk
> +++ b/package/libfastjson/libfastjson.mk
> @@ -12,5 +12,6 @@ LIBFASTJSON_CONF_ENV = ac_cv_prog_cc_c99='-std=gnu99'
>  LIBFASTJSON_AUTORECONF = YES
>  LIBFASTJSON_LICENSE = MIT
>  LIBFASTJSON_LICENSE_FILES = COPYING
> +LIBFASTJSON_CPE_ID_VENDOR = rsyslog
>  
>  $(eval $(autotools-package))
> diff --git a/package/libfcgi/libfcgi.mk b/package/libfcgi/libfcgi.mk
> index c158df2395..c40d9c5970 100644
> --- a/package/libfcgi/libfcgi.mk
> +++ b/package/libfcgi/libfcgi.mk
> @@ -8,6 +8,8 @@ LIBFCGI_VERSION = 2.4.2
>  LIBFCGI_SITE = $(call github,FastCGI-Archives,fcgi2,$(LIBFCGI_VERSION))
>  LIBFCGI_LICENSE = OML
>  LIBFCGI_LICENSE_FILES = LICENSE.TERMS
> +LIBFCGI_CPE_ID_VENDOR = fastcgi
> +LIBFCGI_CPE_ID_NAME = fcgi
>  LIBFCGI_INSTALL_STAGING = YES
>  LIBFCGI_AUTORECONF = YES
>  
> diff --git a/package/libffi/libffi.mk b/package/libffi/libffi.mk
> index 722a03dca0..e87a024040 100644
> --- a/package/libffi/libffi.mk
> +++ b/package/libffi/libffi.mk
> @@ -6,6 +6,8 @@
>  
>  LIBFFI_VERSION = 3.3
>  LIBFFI_SITE = $(call github,libffi,libffi,v$(LIBFFI_VERSION))
> +LIBFFI_CPE_ID_VERSION = 3.3
> +LIBFFI_CPE_ID_VERSION_MINOR = rc0
>  LIBFFI_LICENSE = MIT
>  LIBFFI_LICENSE_FILES = LICENSE
>  LIBFFI_INSTALL_STAGING = YES
> diff --git a/package/libgcrypt/libgcrypt.mk b/package/libgcrypt/libgcrypt.mk
> index b2c1ea3cbe..d928d2fd80 100644
> --- a/package/libgcrypt/libgcrypt.mk
> +++ b/package/libgcrypt/libgcrypt.mk
> @@ -12,6 +12,7 @@ LIBGCRYPT_SITE = https://gnupg.org/ftp/gcrypt/libgcrypt
>  LIBGCRYPT_INSTALL_STAGING = YES
>  LIBGCRYPT_DEPENDENCIES = libgpg-error
>  LIBGCRYPT_CONFIG_SCRIPTS = libgcrypt-config
> +LIBGCRYPT_CPE_ID_VENDOR = gnupg
>  
>  # Patching acinclude.m4 in 0001
>  # Patching configure.ac and Makefile.am in 0002
> diff --git a/package/libglib2/libglib2.mk b/package/libglib2/libglib2.mk
> index 6e9dbd7b26..e55540976d 100644
> --- a/package/libglib2/libglib2.mk
> +++ b/package/libglib2/libglib2.mk
> @@ -10,6 +10,8 @@ LIBGLIB2_SOURCE = glib-$(LIBGLIB2_VERSION).tar.xz
>  LIBGLIB2_SITE = http://ftp.gnome.org/pub/gnome/sources/glib/$(LIBGLIB2_VERSION_MAJOR)
>  LIBGLIB2_LICENSE = LGPL-2.1+
>  LIBGLIB2_LICENSE_FILES = COPYING
> +LIBGLIB2_CPE_ID_VENDOR = gnome
> +LIBGLIB2_CPE_ID_NAME = glib
>  LIBGLIB2_INSTALL_STAGING = YES
>  
>  LIBGLIB2_CFLAGS = $(TARGET_CFLAGS)
> diff --git a/package/libgpg-error/libgpg-error.mk b/package/libgpg-error/libgpg-error.mk
> index 6281faa662..05c7f710f2 100644
> --- a/package/libgpg-error/libgpg-error.mk
> +++ b/package/libgpg-error/libgpg-error.mk
> @@ -9,6 +9,7 @@ LIBGPG_ERROR_SITE = https://www.gnupg.org/ftp/gcrypt/libgpg-error
>  LIBGPG_ERROR_SOURCE = libgpg-error-$(LIBGPG_ERROR_VERSION).tar.bz2
>  LIBGPG_ERROR_LICENSE = GPL-2.0+, LGPL-2.1+
>  LIBGPG_ERROR_LICENSE_FILES = COPYING COPYING.LIB
> +LIBGPG_ERROR_CPE_ID_VENDOR = gnupg
>  LIBGPG_ERROR_INSTALL_STAGING = YES
>  LIBGPG_ERROR_CONFIG_SCRIPTS = gpg-error-config
>  LIBGPG_ERROR_DEPENDENCIES = $(TARGET_NLS_DEPENDENCIES)
> diff --git a/package/liblogging/liblogging.mk b/package/liblogging/liblogging.mk
> index c756891a86..24375b56b4 100644
> --- a/package/liblogging/liblogging.mk
> +++ b/package/liblogging/liblogging.mk
> @@ -8,6 +8,7 @@ LIBLOGGING_VERSION = 1.0.6
>  LIBLOGGING_SITE = http://download.rsyslog.com/liblogging
>  LIBLOGGING_LICENSE = BSD-2-Clause
>  LIBLOGGING_LICENSE_FILES = COPYING
> +LIBLOGGING_CPE_ID_VENDOR = adiscon
>  LIBLOGGING_INSTALL_STAGING = YES
>  LIBLOGGING_CONF_OPTS = --enable-cached-man-pages
>  
> diff --git a/package/libmbim/libmbim.mk b/package/libmbim/libmbim.mk
> index 05345623bd..4ce3ca892e 100644
> --- a/package/libmbim/libmbim.mk
> +++ b/package/libmbim/libmbim.mk
> @@ -9,6 +9,7 @@ LIBMBIM_SITE = https://www.freedesktop.org/software/libmbim
>  LIBMBIM_SOURCE = libmbim-$(LIBMBIM_VERSION).tar.xz
>  LIBMBIM_LICENSE = LGPL-2.0+ (library), GPL-2.0+ (programs)
>  LIBMBIM_LICENSE_FILES = COPYING COPYING.LIB
> +LIBMBIM_CPE_ID_VENDOR = freedesktop
>  LIBMBIM_INSTALL_STAGING = YES
>  
>  LIBMBIM_DEPENDENCIES = libglib2
> diff --git a/package/libmnl/libmnl.mk b/package/libmnl/libmnl.mk
> index 7fcce4c21f..d3b33db2e0 100644
> --- a/package/libmnl/libmnl.mk
> +++ b/package/libmnl/libmnl.mk
> @@ -10,5 +10,6 @@ LIBMNL_SITE = http://netfilter.org/projects/libmnl/files
>  LIBMNL_INSTALL_STAGING = YES
>  LIBMNL_LICENSE = LGPL-2.1+
>  LIBMNL_LICENSE_FILES = COPYING
> +LIBMNL_CPE_ID_VENDOR = netfilter
>  
>  $(eval $(autotools-package))
> diff --git a/package/libnetfilter_conntrack/libnetfilter_conntrack.mk b/package/libnetfilter_conntrack/libnetfilter_conntrack.mk
> index 8beefefb51..0a5a94be8f 100644
> --- a/package/libnetfilter_conntrack/libnetfilter_conntrack.mk
> +++ b/package/libnetfilter_conntrack/libnetfilter_conntrack.mk
> @@ -11,5 +11,6 @@ LIBNETFILTER_CONNTRACK_INSTALL_STAGING = YES
>  LIBNETFILTER_CONNTRACK_DEPENDENCIES = host-pkgconf libnfnetlink libmnl
>  LIBNETFILTER_CONNTRACK_LICENSE = GPL-2.0+
>  LIBNETFILTER_CONNTRACK_LICENSE_FILES = COPYING
> +LIBNETFILTER_CONNTRACK_CPE_ID_VENDOR = netfilter
>  
>  $(eval $(autotools-package))
> diff --git a/package/libnetfilter_cthelper/libnetfilter_cthelper.mk b/package/libnetfilter_cthelper/libnetfilter_cthelper.mk
> index 61d6acd07c..d74ea4d0fd 100644
> --- a/package/libnetfilter_cthelper/libnetfilter_cthelper.mk
> +++ b/package/libnetfilter_cthelper/libnetfilter_cthelper.mk
> @@ -12,5 +12,6 @@ LIBNETFILTER_CTHELPER_DEPENDENCIES = host-pkgconf libmnl
>  LIBNETFILTER_CTHELPER_AUTORECONF = YES
>  LIBNETFILTER_CTHELPER_LICENSE = GPL-2.0+
>  LIBNETFILTER_CTHELPER_LICENSE_FILES = COPYING
> +LIBNETFILTER_CTHELPER_CPE_ID_VENDOR = netfilter
>  
>  $(eval $(autotools-package))
> diff --git a/package/libnetfilter_cttimeout/libnetfilter_cttimeout.mk b/package/libnetfilter_cttimeout/libnetfilter_cttimeout.mk
> index 9c4c951687..f5c5067b64 100644
> --- a/package/libnetfilter_cttimeout/libnetfilter_cttimeout.mk
> +++ b/package/libnetfilter_cttimeout/libnetfilter_cttimeout.mk
> @@ -12,5 +12,6 @@ LIBNETFILTER_CTTIMEOUT_DEPENDENCIES = host-pkgconf libmnl
>  LIBNETFILTER_CTTIMEOUT_AUTORECONF = YES
>  LIBNETFILTER_CTTIMEOUT_LICENSE = GPL-2.0+
>  LIBNETFILTER_CTTIMEOUT_LICENSE_FILES = COPYING
> +LIBNETFILTER_CTTIMEOUT_CPE_ID_VENDOR = netfilter
>  
>  $(eval $(autotools-package))
> diff --git a/package/libnetfilter_queue/libnetfilter_queue.mk b/package/libnetfilter_queue/libnetfilter_queue.mk
> index 2bb4dd376d..6cd35baea1 100644
> --- a/package/libnetfilter_queue/libnetfilter_queue.mk
> +++ b/package/libnetfilter_queue/libnetfilter_queue.mk
> @@ -12,5 +12,6 @@ LIBNETFILTER_QUEUE_DEPENDENCIES = host-pkgconf libnfnetlink libmnl
>  LIBNETFILTER_QUEUE_AUTORECONF = YES
>  LIBNETFILTER_QUEUE_LICENSE = GPL-2.0+
>  LIBNETFILTER_QUEUE_LICENSE_FILES = COPYING
> +LIBNETFILTER_QUEUE_CPE_ID_VENDOR = netfilter
>  
>  $(eval $(autotools-package))
> diff --git a/package/libnfnetlink/libnfnetlink.mk b/package/libnfnetlink/libnfnetlink.mk
> index 13f5d72c87..a5ad47b85e 100644
> --- a/package/libnfnetlink/libnfnetlink.mk
> +++ b/package/libnfnetlink/libnfnetlink.mk
> @@ -11,5 +11,6 @@ LIBNFNETLINK_AUTORECONF = YES
>  LIBNFNETLINK_INSTALL_STAGING = YES
>  LIBNFNETLINK_LICENSE = GPL-2.0
>  LIBNFNETLINK_LICENSE_FILES = COPYING
> +LIBNFNETLINK_CPE_ID_VENDOR = netfilter
>  
>  $(eval $(autotools-package))
> diff --git a/package/libopenssl/Config.in b/package/libopenssl/Config.in
> index 8909e36b9e..dd03de7674 100644
> --- a/package/libopenssl/Config.in
> +++ b/package/libopenssl/Config.in
> @@ -45,3 +45,14 @@ config BR2_PACKAGE_LIBOPENSSL_ENGINES
>  	  Install additional encryption engine libraries.
>  
>  endif # BR2_PACKAGE_LIBOPENSSL
> +# See package/openssl/Config.in for the actual kconfig
> +# of this package. This file provides a URL for CPE use.
> +
> +#	help
> +#	  A collaborative effort to develop a robust, commercial-grade,
> +#	  fully featured, and Open Source toolkit implementing the
> +#	  Secure Sockets Layer (SSL v2/v3) and Transport Security
> +#	  (TLS v1) as well as a full-strength general-purpose
> +#	  cryptography library.
> +#
> +#	  http://www.openssl.org/
> diff --git a/package/libopenssl/libopenssl.mk b/package/libopenssl/libopenssl.mk
> index fe5a444cc7..75a7b485ef 100644
> --- a/package/libopenssl/libopenssl.mk
> +++ b/package/libopenssl/libopenssl.mk
> @@ -15,6 +15,8 @@ HOST_LIBOPENSSL_DEPENDENCIES = host-zlib
>  LIBOPENSSL_TARGET_ARCH = $(call qstrip,$(BR2_PACKAGE_LIBOPENSSL_TARGET_ARCH))
>  LIBOPENSSL_CFLAGS = $(TARGET_CFLAGS)
>  LIBOPENSSL_PROVIDES = openssl
> +LIBOPENSSL_CPE_ID_VENDOR = $(LIBOPENSSL_PROVIDES)
> +LIBOPENSSL_CPE_ID_NAME = $(LIBOPENSSL_PROVIDES)
>  
>  ifeq ($(BR2_m68k_cf),y)
>  # relocation truncated to fit: R_68K_GOT16O
> diff --git a/package/libpcap/libpcap.mk b/package/libpcap/libpcap.mk
> index 881a109a0a..e323461529 100644
> --- a/package/libpcap/libpcap.mk
> +++ b/package/libpcap/libpcap.mk
> @@ -8,6 +8,7 @@ LIBPCAP_VERSION = 1.9.1
>  LIBPCAP_SITE = http://www.tcpdump.org/release
>  LIBPCAP_LICENSE = BSD-3-Clause
>  LIBPCAP_LICENSE_FILES = LICENSE
> +LIBPCAP_CPE_ID_VENDOR = tcpdump
>  LIBPCAP_INSTALL_STAGING = YES
>  LIBPCAP_DEPENDENCIES = host-flex host-bison
>  
> diff --git a/package/libselinux/libselinux.mk b/package/libselinux/libselinux.mk
> index 8087af539a..fdd13aa942 100644
> --- a/package/libselinux/libselinux.mk
> +++ b/package/libselinux/libselinux.mk
> @@ -8,6 +8,7 @@ LIBSELINUX_VERSION = 3.1
>  LIBSELINUX_SITE = https://github.com/SELinuxProject/selinux/releases/download/20200710
>  LIBSELINUX_LICENSE = Public Domain
>  LIBSELINUX_LICENSE_FILES = LICENSE
> +LIBSELINUX_CPE_ID_VENDOR = selinuxproject
>  
>  LIBSELINUX_DEPENDENCIES = $(BR2_COREUTILS_HOST_DEPENDENCY) libsepol pcre
>  
> diff --git a/package/libsemanage/libsemanage.mk b/package/libsemanage/libsemanage.mk
> index 3ea0603f53..48e2bbbc8b 100644
> --- a/package/libsemanage/libsemanage.mk
> +++ b/package/libsemanage/libsemanage.mk
> @@ -9,6 +9,7 @@ LIBSEMANAGE_SITE = https://github.com/SELinuxProject/selinux/releases/download/2
>  LIBSEMANAGE_LICENSE = LGPL-2.1+
>  LIBSEMANAGE_LICENSE_FILES = COPYING
>  LIBSEMANAGE_DEPENDENCIES = host-bison host-flex audit libselinux bzip2
> +LIBSEMANAGE_CPE_ID_VENDOR = selinuxproject
>  LIBSEMANAGE_INSTALL_STAGING = YES
>  
>  LIBSEMANAGE_MAKE_OPTS = $(TARGET_CONFIGURE_OPTS)
> diff --git a/package/libsepol/libsepol.mk b/package/libsepol/libsepol.mk
> index 7d8b7b2063..a4398bdc42 100644
> --- a/package/libsepol/libsepol.mk
> +++ b/package/libsepol/libsepol.mk
> @@ -8,6 +8,7 @@ LIBSEPOL_VERSION = 3.1
>  LIBSEPOL_SITE = https://github.com/SELinuxProject/selinux/releases/download/20200710
>  LIBSEPOL_LICENSE = LGPL-2.1+
>  LIBSEPOL_LICENSE_FILES = COPYING
> +LIBSEPOL_CPE_ID_VENDOR = selinuxproject
>  
>  LIBSEPOL_INSTALL_STAGING = YES
>  LIBSEPOL_DEPENDENCIES = host-flex
> diff --git a/package/libssh2/libssh2.mk b/package/libssh2/libssh2.mk
> index c03fe0db55..eb66ab5643 100644
> --- a/package/libssh2/libssh2.mk
> +++ b/package/libssh2/libssh2.mk
> @@ -8,6 +8,7 @@ LIBSSH2_VERSION = 1.9.0
>  LIBSSH2_SITE = https://www.libssh2.org/download
>  LIBSSH2_LICENSE = BSD
>  LIBSSH2_LICENSE_FILES = COPYING
> +LIBSSH2_CPE_ID_VENDOR = $(LIBSSH2_NAME)
>  LIBSSH2_INSTALL_STAGING = YES
>  LIBSSH2_CONF_OPTS = --disable-examples-build
>  
> diff --git a/package/libsysfs/libsysfs.mk b/package/libsysfs/libsysfs.mk
> index 13edc9a4ea..fd8bfa6724 100644
> --- a/package/libsysfs/libsysfs.mk
> +++ b/package/libsysfs/libsysfs.mk
> @@ -10,5 +10,7 @@ LIBSYSFS_SOURCE = sysfsutils-$(LIBSYSFS_VERSION).tar.gz
>  LIBSYSFS_INSTALL_STAGING = YES
>  LIBSYSFS_LICENSE = GPL-2.0 (utilities), LGPL-2.1+ (library)
>  LIBSYSFS_LICENSE_FILES = cmd/GPL lib/LGPL
> +LIBSYSFS_CPE_ID_VENDOR = sysfsutils_project
> +LIBSYSFS_CPE_ID_NAME = sysfsutils
>  
>  $(eval $(autotools-package))
> diff --git a/package/libtasn1/libtasn1.mk b/package/libtasn1/libtasn1.mk
> index d5a6c69965..a354716824 100644
> --- a/package/libtasn1/libtasn1.mk
> +++ b/package/libtasn1/libtasn1.mk
> @@ -9,6 +9,7 @@ LIBTASN1_SITE = $(BR2_GNU_MIRROR)/libtasn1
>  LIBTASN1_DEPENDENCIES = host-bison host-pkgconf
>  LIBTASN1_LICENSE = GPL-3.0+ (tests, tools), LGPL-2.1+ (library)
>  LIBTASN1_LICENSE_FILES = LICENSE doc/COPYING doc/COPYING.LESSER
> +LIBTASN1_CPE_ID_VENDOR = gnu
>  LIBTASN1_INSTALL_STAGING = YES
>  
>  # We're patching fuzz/Makefile.am
> diff --git a/package/libunistring/libunistring.mk b/package/libunistring/libunistring.mk
> index fa51447170..1ed7ecf906 100644
> --- a/package/libunistring/libunistring.mk
> +++ b/package/libunistring/libunistring.mk
> @@ -10,6 +10,7 @@ LIBUNISTRING_SOURCE = libunistring-$(LIBUNISTRING_VERSION).tar.xz
>  LIBUNISTRING_INSTALL_STAGING = YES
>  LIBUNISTRING_LICENSE = LGPL-3.0+ or GPL-2.0
>  LIBUNISTRING_LICENSE_FILES = COPYING COPYING.LIB
> +LIBUNISTRING_CPE_ID_VENDOR = gnu
>  
>  $(eval $(autotools-package))
>  $(eval $(host-autotools-package))
> diff --git a/package/libxml2/libxml2.mk b/package/libxml2/libxml2.mk
> index e9379b05ae..e472970fde 100644
> --- a/package/libxml2/libxml2.mk
> +++ b/package/libxml2/libxml2.mk
> @@ -15,6 +15,7 @@ LIBXML2_IGNORE_CVES += CVE-2020-7595
>  LIBXML2_IGNORE_CVES += CVE-2019-20388
>  # 0003-Fix-out-of-bounds-read-with-xmllint--htmlout.patch
>  LIBXML2_IGNORE_CVES += CVE-2020-24977
> +LIBXML2_CPE_ID_VENDOR = xmlsoft
>  LIBXML2_CONFIG_SCRIPTS = xml2-config
>  
>  # relocation truncated to fit: R_68K_GOT16O
> diff --git a/package/libxslt/libxslt.mk b/package/libxslt/libxslt.mk
> index 2f37f303ac..3c603ad9f6 100644
> --- a/package/libxslt/libxslt.mk
> +++ b/package/libxslt/libxslt.mk
> @@ -9,6 +9,7 @@ LIBXSLT_SITE = http://xmlsoft.org/sources
>  LIBXSLT_INSTALL_STAGING = YES
>  LIBXSLT_LICENSE = MIT
>  LIBXSLT_LICENSE_FILES = COPYING
> +LIBXSLT_CPE_ID_VENDOR = xmlsoft
>  
>  LIBXSLT_CONF_OPTS = \
>  	--with-gnu-ld \
> diff --git a/package/libzlib/libzlib.mk b/package/libzlib/libzlib.mk
> index eea0c12f22..a1e2640bac 100644
> --- a/package/libzlib/libzlib.mk
> +++ b/package/libzlib/libzlib.mk
> @@ -11,6 +11,8 @@ LIBZLIB_LICENSE = Zlib
>  LIBZLIB_LICENSE_FILES = README
>  LIBZLIB_INSTALL_STAGING = YES
>  LIBZLIB_PROVIDES = zlib
> +LIBZLIB_CPE_ID_VENDOR = gnu
> +LIBZLIB_CPE_ID_NAME = $(LIBZLIB_PROVIDES)
>  
>  # It is not possible to build only a shared version of zlib, so we build both
>  # shared and static, unless we only want the static libs, and we eventually
> diff --git a/package/lighttpd/lighttpd.mk b/package/lighttpd/lighttpd.mk
> index 7181465c66..39600ef94b 100644
> --- a/package/lighttpd/lighttpd.mk
> +++ b/package/lighttpd/lighttpd.mk
> @@ -10,6 +10,7 @@ LIGHTTPD_SOURCE = lighttpd-$(LIGHTTPD_VERSION).tar.xz
>  LIGHTTPD_SITE = http://download.lighttpd.net/lighttpd/releases-$(LIGHTTPD_VERSION_MAJOR).x
>  LIGHTTPD_LICENSE = BSD-3-Clause
>  LIGHTTPD_LICENSE_FILES = COPYING
> +LIGHTTPD_CPE_ID_VENDOR = $(LIGHTTPD_NAME)
>  LIGHTTPD_DEPENDENCIES = host-pkgconf
>  LIGHTTPD_CONF_OPTS = \
>  	--without-wolfssl \
> diff --git a/package/linux-firmware/linux-firmware.mk b/package/linux-firmware/linux-firmware.mk
> index d9ad942903..368ff83a37 100644
> --- a/package/linux-firmware/linux-firmware.mk
> +++ b/package/linux-firmware/linux-firmware.mk
> @@ -8,6 +8,8 @@ LINUX_FIRMWARE_VERSION = 20200122
>  LINUX_FIRMWARE_SITE = http://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git
>  LINUX_FIRMWARE_SITE_METHOD = git
>  
> +LINUX_FIRMWARE_CPE_ID_VENDOR = kernel
> +
>  # Intel SST DSP
>  ifeq ($(BR2_PACKAGE_LINUX_FIRMWARE_INTEL_SST_DSP),y)
>  LINUX_FIRMWARE_FILES += intel/fw_sst_0f28.bin-48kHz_i2s_master
> diff --git a/package/linux-headers/linux-headers.mk b/package/linux-headers/linux-headers.mk
> index 4c3cb716b3..4496295f2a 100644
> --- a/package/linux-headers/linux-headers.mk
> +++ b/package/linux-headers/linux-headers.mk
> @@ -102,6 +102,8 @@ LINUX_HEADERS_LICENSE_FILES = \
>  	LICENSES/preferred/GPL-2.0 \
>  	LICENSES/exceptions/Linux-syscall-note
>  endif
> +LINUX_HEADERS_CPE_ID_VENDOR = linux
> +LINUX_HEADERS_CPE_ID_NAME = linux_kernel
>  
>  LINUX_HEADERS_INSTALL_STAGING = YES
>  
> diff --git a/package/linux-pam/linux-pam.mk b/package/linux-pam/linux-pam.mk
> index 57fb2c9cfd..ecd4a723c4 100644
> --- a/package/linux-pam/linux-pam.mk
> +++ b/package/linux-pam/linux-pam.mk
> @@ -23,6 +23,8 @@ LINUX_PAM_LICENSE_FILES = Copyright
>  # We're patching configure.ac
>  LINUX_PAM_AUTORECONF = YES
>  LINUX_PAM_MAKE_OPTS += LIBS=$(TARGET_NLS_LIBS)
> +LINUX_PAM_CPE_ID_VENDOR = $(LINUX_PAM_NAME)
> +LINUX_PAM_CPE_ID_NAME = $(LINUX_PAM_NAME)
>  
>  ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
>  LINUX_PAM_CONF_OPTS += --enable-selinux
> diff --git a/package/llvm/llvm.mk b/package/llvm/llvm.mk
> index 24d033d124..177fff71bb 100644
> --- a/package/llvm/llvm.mk
> +++ b/package/llvm/llvm.mk
> @@ -10,6 +10,7 @@ LLVM_SITE = https://github.com/llvm/llvm-project/releases/download/llvmorg-$(LLV
>  LLVM_SOURCE = llvm-$(LLVM_VERSION).src.tar.xz
>  LLVM_LICENSE = Apache-2.0 with exceptions
>  LLVM_LICENSE_FILES = LICENSE.TXT
> +LLVM_CPE_ID_VENDOR = $(LLVM_NAME)
>  LLVM_SUPPORTS_IN_SOURCE_BUILD = NO
>  LLVM_INSTALL_STAGING = YES
>  
> diff --git a/package/lxc/lxc.mk b/package/lxc/lxc.mk
> index b067f145e3..576036e246 100644
> --- a/package/lxc/lxc.mk
> +++ b/package/lxc/lxc.mk
> @@ -8,6 +8,7 @@ LXC_VERSION = 4.0.5
>  LXC_SITE = https://linuxcontainers.org/downloads/lxc
>  LXC_LICENSE = GPL-2.0 (some tools), LGPL-2.1+
>  LXC_LICENSE_FILES = LICENSE.GPL2 LICENSE.LGPL2.1
> +LXC_CPE_ID_VENDOR = linuxcontainers
>  LXC_DEPENDENCIES = host-pkgconf
>  LXC_INSTALL_STAGING = YES
>  
> diff --git a/package/lz4/lz4.mk b/package/lz4/lz4.mk
> index fa309e8dbb..7c91b6eecc 100644
> --- a/package/lz4/lz4.mk
> +++ b/package/lz4/lz4.mk
> @@ -9,6 +9,7 @@ LZ4_SITE = $(call github,lz4,lz4,v$(LZ4_VERSION))
>  LZ4_INSTALL_STAGING = YES
>  LZ4_LICENSE = BSD-2-Clause (library), GPL-2.0+ (programs)
>  LZ4_LICENSE_FILES = lib/LICENSE programs/COPYING
> +LZ4_CPE_ID_VENDOR = yann_collet
>  
>  # CVE-2014-4715 is misclassified (by our CVE tracker) as affecting version
>  # 1.9.2, while in fact this issue has been fixed since lz4-r130:
> diff --git a/package/memtester/memtester.mk b/package/memtester/memtester.mk
> index 1a319462a5..49cc935f39 100644
> --- a/package/memtester/memtester.mk
> +++ b/package/memtester/memtester.mk
> @@ -8,6 +8,7 @@ MEMTESTER_VERSION = 4.5.0
>  MEMTESTER_SITE = http://pyropus.ca/software/memtester/old-versions
>  MEMTESTER_LICENSE = GPL-2.0
>  MEMTESTER_LICENSE_FILES = COPYING
> +MEMTESTER_CPE_ID_VENDOR = pryopus
>  
>  MEMTESTER_TARGET_INSTALL_OPTS = INSTALLPATH=$(TARGET_DIR)/usr
>  
> diff --git a/package/mii-diag/mii-diag.mk b/package/mii-diag/mii-diag.mk
> index 6efd5be80d..a7c6483221 100644
> --- a/package/mii-diag/mii-diag.mk
> +++ b/package/mii-diag/mii-diag.mk
> @@ -10,6 +10,7 @@ MII_DIAG_PATCH = mii-diag_$(MII_DIAG_VERSION)-3.diff.gz
>  MII_DIAG_SITE = http://snapshot.debian.org/archive/debian/20141023T043132Z/pool/main/m/mii-diag
>  MII_DIAG_LICENSE = GPL # No version specified
>  MII_DIAG_LICENSE_FILES = mii-diag.c
> +MII_DIAG_CPE_ID_VENDOR = debian
>  
>  MII_DIAG_MAKE_OPTS = $(TARGET_CONFIGURE_OPTS)
>  
> diff --git a/package/mpfr/mpfr.mk b/package/mpfr/mpfr.mk
> index ef2999eb16..837aff3aa5 100644
> --- a/package/mpfr/mpfr.mk
> +++ b/package/mpfr/mpfr.mk
> @@ -9,6 +9,7 @@ MPFR_SITE = http://www.mpfr.org/mpfr-$(MPFR_VERSION)
>  MPFR_SOURCE = mpfr-$(MPFR_VERSION).tar.xz
>  MPFR_LICENSE = LGPL-3.0+
>  MPFR_LICENSE_FILES = COPYING.LESSER
> +MPFR_CPE_ID_VENDOR = gnu
>  MPFR_INSTALL_STAGING = YES
>  MPFR_DEPENDENCIES = gmp
>  HOST_MPFR_DEPENDENCIES = host-gmp
> diff --git a/package/mrouted/mrouted.mk b/package/mrouted/mrouted.mk
> index ae2f8a4e20..4e3715b445 100644
> --- a/package/mrouted/mrouted.mk
> +++ b/package/mrouted/mrouted.mk
> @@ -11,6 +11,7 @@ MROUTED_DEPENDENCIES = host-bison
>  MROUTED_LICENSE = BSD-3-Clause
>  MROUTED_LICENSE_FILES = LICENSE
>  MROUTED_CONFIGURE_OPTS = --enable-rsrr
> +MROUTED_CPE_ID_VENDOR = troglobit
>  
>  define MROUTED_INSTALL_INIT_SYSTEMD
>  	$(INSTALL) -D -m 644 $(@D)/mrouted.service \
> diff --git a/package/mtd/mtd.mk b/package/mtd/mtd.mk
> index 9f259b35d9..d0e70b8c8b 100644
> --- a/package/mtd/mtd.mk
> +++ b/package/mtd/mtd.mk
> @@ -9,6 +9,8 @@ MTD_SOURCE = mtd-utils-$(MTD_VERSION).tar.bz2
>  MTD_SITE = ftp://ftp.infradead.org/pub/mtd-utils
>  MTD_LICENSE = GPL-2.0
>  MTD_LICENSE_FILES = COPYING
> +MTD_CPE_ID_VENDOR = mtd-utils_project
> +MTD_CPE_ID_NAME = mtd-utils
>  MTD_INSTALL_STAGING = YES
>  
>  ifeq ($(BR2_PACKAGE_MTD_JFFS_UTILS),y)
> diff --git a/package/ncurses/ncurses.mk b/package/ncurses/ncurses.mk
> index c11650c766..5c5e497488 100644
> --- a/package/ncurses/ncurses.mk
> +++ b/package/ncurses/ncurses.mk
> @@ -10,6 +10,7 @@ NCURSES_INSTALL_STAGING = YES
>  NCURSES_DEPENDENCIES = host-ncurses
>  NCURSES_LICENSE = MIT with advertising clause
>  NCURSES_LICENSE_FILES = COPYING
> +NCURSES_CPE_ID_VENDOR = gnu
>  NCURSES_CONFIG_SCRIPTS = ncurses$(NCURSES_LIB_SUFFIX)6-config
>  NCURSES_PATCH = \
>  	$(addprefix https://invisible-mirror.net/archives/ncurses/$(NCURSES_VERSION)/, \
> diff --git a/package/netsnmp/netsnmp.mk b/package/netsnmp/netsnmp.mk
> index 904279d1fb..09ca33f754 100644
> --- a/package/netsnmp/netsnmp.mk
> +++ b/package/netsnmp/netsnmp.mk
> @@ -9,6 +9,8 @@ NETSNMP_SITE = https://downloads.sourceforge.net/project/net-snmp/net-snmp/$(NET
>  NETSNMP_SOURCE = net-snmp-$(NETSNMP_VERSION).tar.gz
>  NETSNMP_LICENSE = Various BSD-like
>  NETSNMP_LICENSE_FILES = COPYING
> +NETSNMP_CPE_ID_VENDOR = net-snmp
> +NETSNMP_CPE_ID_NAME = $(NETSNMP_CPE_ID_VENDOR)
>  NETSNMP_INSTALL_STAGING = YES
>  NETSNMP_CONF_ENV = ac_cv_NETSNMP_CAN_USE_SYSCTL=no
>  NETSNMP_CONF_OPTS = \
> diff --git a/package/nfs-utils/nfs-utils.mk b/package/nfs-utils/nfs-utils.mk
> index d60b5055a0..df581b381f 100644
> --- a/package/nfs-utils/nfs-utils.mk
> +++ b/package/nfs-utils/nfs-utils.mk
> @@ -10,6 +10,8 @@ NFS_UTILS_SITE = https://www.kernel.org/pub/linux/utils/nfs-utils/$(NFS_UTILS_VE
>  NFS_UTILS_LICENSE = GPL-2.0+
>  NFS_UTILS_LICENSE_FILES = COPYING
>  NFS_UTILS_DEPENDENCIES = host-nfs-utils host-pkgconf libtirpc
> +NFS_UTILS_CPE_ID_VENDOR = linux-nfs
> +NFS_UTILS_AUTORECONF = YES
>  
>  NFS_UTILS_CONF_ENV = knfsd_cv_bsd_signals=no
>  
> diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
> index 64ac22181b..c8937229ab 100644
> --- a/package/openssh/openssh.mk
> +++ b/package/openssh/openssh.mk
> @@ -5,6 +5,8 @@
>  ################################################################################
>  
>  OPENSSH_VERSION = 8.3p1
> +OPENSSH_CPE_ID_VERSION = 8.3
> +OPENSSH_CPE_ID_VERSION_MINOR = p1
>  OPENSSH_SITE = http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable
>  OPENSSH_LICENSE = BSD-3-Clause, BSD-2-Clause, Public Domain
>  OPENSSH_LICENSE_FILES = LICENCE
> @@ -12,6 +14,7 @@ OPENSSH_CONF_ENV = \
>  	LD="$(TARGET_CC)" \
>  	LDFLAGS="$(TARGET_CFLAGS)" \
>  	LIBS=`$(PKG_CONFIG_HOST_BINARY) --libs openssl`
> +OPENSSH_CPE_ID_VENDOR = openbsd
>  OPENSSH_CONF_OPTS = \
>  	--sysconfdir=/etc/ssh \
>  	--with-default-path=$(BR2_SYSTEM_DEFAULT_PATH) \
> diff --git a/package/pax-utils/pax-utils.mk b/package/pax-utils/pax-utils.mk
> index 502fc87446..704e50e738 100644
> --- a/package/pax-utils/pax-utils.mk
> +++ b/package/pax-utils/pax-utils.mk
> @@ -9,6 +9,7 @@ PAX_UTILS_SITE = http://distfiles.gentoo.org/distfiles
>  PAX_UTILS_SOURCE = pax-utils-$(PAX_UTILS_VERSION).tar.xz
>  PAX_UTILS_LICENSE = GPL-2.0
>  PAX_UTILS_LICENSE_FILES = COPYING
> +PAX_UTILS_CPE_ID_VENDOR = gentoo
>  
>  PAX_UTILS_DEPENDENCIES = host-pkgconf
>  PAX_UTILS_CONF_OPTS = --without-python
> diff --git a/package/paxtest/paxtest.mk b/package/paxtest/paxtest.mk
> index e632e222c3..1b8d6699b6 100644
> --- a/package/paxtest/paxtest.mk
> +++ b/package/paxtest/paxtest.mk
> @@ -8,6 +8,7 @@ PAXTEST_VERSION = 0.9.15
>  PAXTEST_SITE = https://www.grsecurity.net/~spender
>  PAXTEST_LICENSE = GPL-2.0+
>  PAXTEST_LICENSE_FILES = README
> +PAXTEST_CPE_ID_VENDOR = grsecurity
>  
>  define PAXTEST_BUILD_CMDS
>  	$(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) $(MAKE) -C $(@D) \
> diff --git a/package/pcre/pcre.mk b/package/pcre/pcre.mk
> index 3c280e593f..b37a2ca9b7 100644
> --- a/package/pcre/pcre.mk
> +++ b/package/pcre/pcre.mk
> @@ -9,6 +9,7 @@ PCRE_SITE = https://ftp.pcre.org/pub/pcre
>  PCRE_SOURCE = pcre-$(PCRE_VERSION).tar.bz2
>  PCRE_LICENSE = BSD-3-Clause
>  PCRE_LICENSE_FILES = LICENCE
> +PCRE_CPE_ID_VENDOR = $(PCRE_NAME)
>  PCRE_INSTALL_STAGING = YES
>  PCRE_CONFIG_SCRIPTS = pcre-config
>  
> diff --git a/package/pixman/pixman.mk b/package/pixman/pixman.mk
> index a446ebca46..52d4e36f2e 100644
> --- a/package/pixman/pixman.mk
> +++ b/package/pixman/pixman.mk
> @@ -9,6 +9,7 @@ PIXMAN_SOURCE = pixman-$(PIXMAN_VERSION).tar.xz
>  PIXMAN_SITE = https://xorg.freedesktop.org/releases/individual/lib
>  PIXMAN_LICENSE = MIT
>  PIXMAN_LICENSE_FILES = COPYING
> +PIXMAN_CPE_ID_VENDOR = $(PIXMAN_NAME)
>  
>  PIXMAN_INSTALL_STAGING = YES
>  PIXMAN_DEPENDENCIES = host-pkgconf
> diff --git a/package/policycoreutils/policycoreutils.mk b/package/policycoreutils/policycoreutils.mk
> index 4c0fdc71a7..0dfdc7af03 100644
> --- a/package/policycoreutils/policycoreutils.mk
> +++ b/package/policycoreutils/policycoreutils.mk
> @@ -8,6 +8,7 @@ POLICYCOREUTILS_VERSION = 3.1
>  POLICYCOREUTILS_SITE = https://github.com/SELinuxProject/selinux/releases/download/20200710
>  POLICYCOREUTILS_LICENSE = GPL-2.0
>  POLICYCOREUTILS_LICENSE_FILES = COPYING
> +POLICYCOREUTILS_CPE_ID_VENDOR = selinuxproject
>  
>  POLICYCOREUTILS_DEPENDENCIES = libsemanage libcap-ng $(TARGET_NLS_DEPENDENCIES)
>  POLICYCOREUTILS_MAKE_OPTS = LDLIBS=$(TARGET_NLS_LIBS)
> diff --git a/package/pppd/pppd.mk b/package/pppd/pppd.mk
> index 685666a200..118f9fc334 100644
> --- a/package/pppd/pppd.mk
> +++ b/package/pppd/pppd.mk
> @@ -10,6 +10,8 @@ PPPD_LICENSE = LGPL-2.0+, LGPL, BSD-4-Clause, BSD-3-Clause, GPL-2.0+
>  PPPD_LICENSE_FILES = \
>  	pppd/tdb.c pppd/plugins/pppoatm/COPYING \
>  	pppdump/bsd-comp.c pppd/ccp.c pppd/plugins/passprompt.c
> +PPPD_CPE_ID_VENDOR = samba
> +PPPD_CPE_ID_NAME = ppp
>  
>  # 0001-pppd-Fix-bounds-check.patch
>  PPPD_IGNORE_CVES += CVE-2020-8597
> diff --git a/package/proftpd/proftpd.mk b/package/proftpd/proftpd.mk
> index e126d0e0a4..94276233c8 100644
> --- a/package/proftpd/proftpd.mk
> +++ b/package/proftpd/proftpd.mk
> @@ -8,6 +8,7 @@ PROFTPD_VERSION = 1.3.6c
>  PROFTPD_SITE = $(call github,proftpd,proftpd,v$(PROFTPD_VERSION))
>  PROFTPD_LICENSE = GPL-2.0+
>  PROFTPD_LICENSE_FILES = COPYING
> +PROFTPD_CPE_ID_VENDOR = $(PROFTPD_NAME)
>  
>  PROFTPD_CONF_ENV = \
>  	ac_cv_func_setpgrp_void=yes \
> diff --git a/package/protobuf/protobuf.mk b/package/protobuf/protobuf.mk
> index 5f2690603d..773a7bd0f0 100644
> --- a/package/protobuf/protobuf.mk
> +++ b/package/protobuf/protobuf.mk
> @@ -12,6 +12,7 @@ PROTOBUF_SOURCE = protobuf-cpp-$(PROTOBUF_VERSION).tar.gz
>  PROTOBUF_SITE = https://github.com/google/protobuf/releases/download/v$(PROTOBUF_VERSION)
>  PROTOBUF_LICENSE = BSD-3-Clause
>  PROTOBUF_LICENSE_FILES = LICENSE
> +PROTOBUF_CPE_ID_VENDOR = google
>  
>  # N.B. Need to use host protoc during cross compilation.
>  PROTOBUF_DEPENDENCIES = host-protobuf
> diff --git a/package/pure-ftpd/pure-ftpd.mk b/package/pure-ftpd/pure-ftpd.mk
> index 7b7c7d9637..7e3d18b433 100644
> --- a/package/pure-ftpd/pure-ftpd.mk
> +++ b/package/pure-ftpd/pure-ftpd.mk
> @@ -9,6 +9,7 @@ PURE_FTPD_SITE = https://download.pureftpd.org/pub/pure-ftpd/releases
>  PURE_FTPD_SOURCE = pure-ftpd-$(PURE_FTPD_VERSION).tar.bz2
>  PURE_FTPD_LICENSE = ISC
>  PURE_FTPD_LICENSE_FILES = COPYING
> +PURE_FTPD_CPE_ID_VENDOR = pureftpd
>  PURE_FTPD_DEPENDENCIES = $(if $(BR2_PACKAGE_LIBICONV),libiconv)
>  
>  # 0001-listdir-reuse-a-single-buffer-to-store-every-file-name-to-display.patch
> diff --git a/package/python-lxml/python-lxml.mk b/package/python-lxml/python-lxml.mk
> index 7e727a6753..0b95cf4dc6 100644
> --- a/package/python-lxml/python-lxml.mk
> +++ b/package/python-lxml/python-lxml.mk
> @@ -15,6 +15,8 @@ PYTHON_LXML_LICENSE_FILES = \
>  	doc/licenses/BSD.txt \
>  	doc/licenses/elementtree.txt \
>  	src/lxml/isoschematron/resources/rng/iso-schematron.rng
> +PYTHON_LXML_CPE_ID_VENDOR = lxml
> +PYTHON_LXML_CPE_ID_NAME = lxml
>  
>  # python-lxml can use either setuptools, or distutils as a fallback.
>  # So, we use setuptools.
> diff --git a/package/python-setuptools/python-setuptools.mk b/package/python-setuptools/python-setuptools.mk
> index 2cb575ae22..ade5ca5521 100644
> --- a/package/python-setuptools/python-setuptools.mk
> +++ b/package/python-setuptools/python-setuptools.mk
> @@ -11,6 +11,8 @@ PYTHON_SETUPTOOLS_SOURCE = setuptools-$(PYTHON_SETUPTOOLS_VERSION).zip
>  PYTHON_SETUPTOOLS_SITE = https://files.pythonhosted.org/packages/b0/f3/44da7482ac6da3f36f68e253cb04de37365b3dba9036a3c70773b778b485
>  PYTHON_SETUPTOOLS_LICENSE = MIT
>  PYTHON_SETUPTOOLS_LICENSE_FILES = LICENSE
> +PYTHON_SETUPTOOLS_CPE_ID_VENDOR = python
> +PYTHON_SETUPTOOLS_CPE_ID_NAME = setuptools
>  PYTHON_SETUPTOOLS_SETUP_TYPE = setuptools
>  HOST_PYTHON_SETUPTOOLS_NEEDS_HOST_PYTHON = python2
>  
> diff --git a/package/python/python.mk b/package/python/python.mk
> index 10718f4358..6240cb6c2f 100644
> --- a/package/python/python.mk
> +++ b/package/python/python.mk
> @@ -10,6 +10,7 @@ PYTHON_SOURCE = Python-$(PYTHON_VERSION).tar.xz
>  PYTHON_SITE = https://python.org/ftp/python/$(PYTHON_VERSION)
>  PYTHON_LICENSE = Python-2.0, others
>  PYTHON_LICENSE_FILES = LICENSE
> +PYTHON_CPE_ID_VENDOR = $(PYTHON_NAME)
>  PYTHON_LIBTOOL_PATCH = NO
>  
>  # Python needs itself to be built, so in order to cross-compile
> diff --git a/package/qemu/qemu.mk b/package/qemu/qemu.mk
> index 69850ec938..a4b5688605 100644
> --- a/package/qemu/qemu.mk
> +++ b/package/qemu/qemu.mk
> @@ -12,6 +12,7 @@ QEMU_LICENSE_FILES = COPYING COPYING.LIB
>  # NOTE: there is no top-level license file for non-(L)GPL licenses;
>  #       the non-(L)GPL license texts are specified in the affected
>  #       individual source files.
> +QEMU_CPE_ID_VENDOR = $(QEMU_NAME)
>  
>  #-------------------------------------------------------------
>  # Target-qemu
> diff --git a/package/rapidjson/rapidjson.mk b/package/rapidjson/rapidjson.mk
> index 9f1c82ce40..d3bcef7df1 100644
> --- a/package/rapidjson/rapidjson.mk
> +++ b/package/rapidjson/rapidjson.mk
> @@ -8,6 +8,7 @@ RAPIDJSON_VERSION = 1.1.0
>  RAPIDJSON_SITE = $(call github,miloyip,rapidjson,v$(RAPIDJSON_VERSION))
>  RAPIDJSON_LICENSE = MIT
>  RAPIDJSON_LICENSE_FILES = license.txt
> +RAPIDJSON_CPE_ID_VENDOR = tencent
>  
>  # rapidjson is a header-only C++ library
>  RAPIDJSON_INSTALL_TARGET = NO
> diff --git a/package/readline/readline.mk b/package/readline/readline.mk
> index f5d7d5bf9e..04872ac868 100644
> --- a/package/readline/readline.mk
> +++ b/package/readline/readline.mk
> @@ -14,6 +14,7 @@ READLINE_CONF_ENV = bash_cv_func_sigsetjmp=yes \
>  READLINE_CONF_OPTS = --disable-install-examples
>  READLINE_LICENSE = GPL-3.0+
>  READLINE_LICENSE_FILES = COPYING
> +READLINE_CPE_ID_VENDOR = gnu
>  
>  define READLINE_INSTALL_INPUTRC
>  	$(INSTALL) -D -m 644 package/readline/inputrc $(TARGET_DIR)/etc/inputrc
> diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
> index 0e94b72826..90b555d859 100644
> --- a/package/refpolicy/refpolicy.mk
> +++ b/package/refpolicy/refpolicy.mk
> @@ -6,6 +6,7 @@
>  
>  REFPOLICY_LICENSE = GPL-2.0
>  REFPOLICY_LICENSE_FILES = COPYING
> +REFPOLICY_CPE_ID_VENDOR = tresys
>  REFPOLICY_INSTALL_STAGING = YES
>  REFPOLICY_DEPENDENCIES = \
>  	host-m4 \
> diff --git a/package/rsyslog/rsyslog.mk b/package/rsyslog/rsyslog.mk
> index 50f3328493..040b33795e 100644
> --- a/package/rsyslog/rsyslog.mk
> +++ b/package/rsyslog/rsyslog.mk
> @@ -8,6 +8,7 @@ RSYSLOG_VERSION = 8.2004.0
>  RSYSLOG_SITE = http://rsyslog.com/files/download/rsyslog
>  RSYSLOG_LICENSE = GPL-3.0, LGPL-3.0, Apache-2.0
>  RSYSLOG_LICENSE_FILES = COPYING COPYING.LESSER COPYING.ASL20
> +RSYSLOG_CPE_ID_VENDOR = $(RSYSLOG_NAME)
>  RSYSLOG_DEPENDENCIES = zlib libestr liblogging libfastjson host-pkgconf
>  RSYSLOG_CONF_ENV = ac_cv_prog_cc_c99='-std=c99'
>  RSYSLOG_PLUGINS = imdiag imfile impstats imptcp \
> diff --git a/package/rt-tests/rt-tests.mk b/package/rt-tests/rt-tests.mk
> index 26c257213b..d4fdab0f5d 100644
> --- a/package/rt-tests/rt-tests.mk
> +++ b/package/rt-tests/rt-tests.mk
> @@ -10,6 +10,7 @@ RT_TESTS_VERSION = 1.9
>  RT_TESTS_LICENSE = GPL-2.0+
>  RT_TESTS_LICENSE_FILES = COPYING
>  RT_TESTS_DEPENDENCIES = numactl
> +RT_TESTS_CPE_ID_VENDOR = kernel
>  
>  define RT_TESTS_BUILD_CMDS
>  	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) \
> diff --git a/package/sed/sed.mk b/package/sed/sed.mk
> index 6bb3220553..64fb2035b0 100644
> --- a/package/sed/sed.mk
> +++ b/package/sed/sed.mk
> @@ -9,6 +9,7 @@ SED_SOURCE = sed-$(SED_VERSION).tar.xz
>  SED_SITE = $(BR2_GNU_MIRROR)/sed
>  SED_LICENSE = GPL-3.0
>  SED_LICENSE_FILES = COPYING
> +SED_CPE_ID_VENDOR = gnu
>  
>  SED_CONF_OPTS = \
>  	--bindir=/bin \
> diff --git a/package/setools/setools.mk b/package/setools/setools.mk
> index c1a3a909cb..a07b1367a2 100644
> --- a/package/setools/setools.mk
> +++ b/package/setools/setools.mk
> @@ -10,6 +10,7 @@ SETOOLS_DEPENDENCIES = libselinux libsepol python-setuptools host-bison host-fle
>  SETOOLS_INSTALL_STAGING = YES
>  SETOOLS_LICENSE = GPL-2.0+, LGPL-2.1+
>  SETOOLS_LICENSE_FILES = COPYING COPYING.GPL COPYING.LGPL
> +SETOOLS_CPE_ID_VENDOR = selinuxproject
>  SETOOLS_SETUP_TYPE = setuptools
>  HOST_SETOOLS_DEPENDENCIES = host-python3-cython host-libselinux host-libsepol host-python-networkx
>  HOST_SETOOLS_NEEDS_HOST_PYTHON = python3
> diff --git a/package/setserial/setserial.mk b/package/setserial/setserial.mk
> index 66ca59d79d..2e29e4c803 100644
> --- a/package/setserial/setserial.mk
> +++ b/package/setserial/setserial.mk
> @@ -10,6 +10,7 @@ SETSERIAL_SOURCE = setserial_$(SETSERIAL_VERSION).orig.tar.gz
>  SETSERIAL_SITE = http://snapshot.debian.org/archive/debian/20141023T043132Z/pool/main/s/setserial
>  SETSERIAL_LICENSE = GPL-2.0
>  SETSERIAL_LICENSE_FILES = debian/copyright
> +
>  # make all also builds setserial.cat which needs nroff
>  SETSERIAL_MAKE_OPTS = setserial
>  
> diff --git a/package/smcroute/smcroute.mk b/package/smcroute/smcroute.mk
> index 1a36c75d47..0db0e084f6 100644
> --- a/package/smcroute/smcroute.mk
> +++ b/package/smcroute/smcroute.mk
> @@ -9,6 +9,7 @@ SMCROUTE_SOURCE = smcroute-$(SMCROUTE_VERSION).tar.xz
>  SMCROUTE_SITE = https://github.com/troglobit/smcroute/releases/download/$(SMCROUTE_VERSION)
>  SMCROUTE_LICENSE = GPL-2.0+
>  SMCROUTE_LICENSE_FILES = COPYING
> +SMCROUTE_CPE_ID_VENDOR = troglobit
>  
>  SMCROUTE_CONF_OPTS = ac_cv_func_setpgrp_void=yes
>  #BUG:The package Makefile uses CC?= even though the package is autotools based
> diff --git a/package/spawn-fcgi/spawn-fcgi.mk b/package/spawn-fcgi/spawn-fcgi.mk
> index ed97d0a7b4..8caa1e2b3c 100644
> --- a/package/spawn-fcgi/spawn-fcgi.mk
> +++ b/package/spawn-fcgi/spawn-fcgi.mk
> @@ -9,5 +9,6 @@ SPAWN_FCGI_SITE = http://www.lighttpd.net/download
>  SPAWN_FCGI_SOURCE = spawn-fcgi-$(SPAWN_FCGI_VERSION).tar.bz2
>  SPAWN_FCGI_LICENSE = BSD-3-Clause
>  SPAWN_FCGI_LICENSE_FILES = COPYING
> +SPAWN_FCGI_CPE_ID_VENDOR = lighttpd
>  
>  $(eval $(autotools-package))
> diff --git a/package/sqlite/sqlite.mk b/package/sqlite/sqlite.mk
> index c8b9ba3150..796292178c 100644
> --- a/package/sqlite/sqlite.mk
> +++ b/package/sqlite/sqlite.mk
> @@ -5,11 +5,13 @@
>  ################################################################################
>  
>  SQLITE_VERSION = 3320300
> +SQLITE_CPE_ID_VERSION = 3.31.1
>  SQLITE_SOURCE = sqlite-autoconf-$(SQLITE_VERSION).tar.gz
>  SQLITE_SITE = https://www.sqlite.org/2020
>  SQLITE_LICENSE = Public domain
>  SQLITE_LICENSE_FILES = tea/license.terms
>  SQLITE_INSTALL_STAGING = YES
> +SQLITE_CPE_ID_VENDOR = $(SQLITE_NAME)
>  
>  ifeq ($(BR2_PACKAGE_SQLITE_STAT4),y)
>  SQLITE_CFLAGS += -DSQLITE_ENABLE_STAT4
> diff --git a/package/strongswan/strongswan.mk b/package/strongswan/strongswan.mk
> index a0290c5bf6..e0e8bb0ce8 100644
> --- a/package/strongswan/strongswan.mk
> +++ b/package/strongswan/strongswan.mk
> @@ -9,6 +9,7 @@ STRONGSWAN_SOURCE = strongswan-$(STRONGSWAN_VERSION).tar.bz2
>  STRONGSWAN_SITE = http://download.strongswan.org
>  STRONGSWAN_LICENSE = GPL-2.0+
>  STRONGSWAN_LICENSE_FILES = COPYING LICENSE
> +STRONGSWAN_CPE_ID_VENDOR = $(STRONGSWAN_NAME)
>  STRONGSWAN_DEPENDENCIES = host-pkgconf
>  STRONGSWAN_INSTALL_STAGING = YES
>  STRONGSWAN_CONF_OPTS += \
> diff --git a/package/tar/tar.mk b/package/tar/tar.mk
> index 9e0a40e561..643eff1cbc 100644
> --- a/package/tar/tar.mk
> +++ b/package/tar/tar.mk
> @@ -12,6 +12,7 @@ TAR_SITE = $(BR2_GNU_MIRROR)/tar
>  TAR_CONF_OPTS = --exec-prefix=/
>  TAR_LICENSE = GPL-3.0+
>  TAR_LICENSE_FILES = COPYING
> +TAR_CPE_ID_VENDOR = gnu
>  
>  ifeq ($(BR2_PACKAGE_ACL),y)
>  TAR_DEPENDENCIES += acl
> diff --git a/package/tcl/tcl.mk b/package/tcl/tcl.mk
> index 6d750b3cd2..913891e897 100644
> --- a/package/tcl/tcl.mk
> +++ b/package/tcl/tcl.mk
> @@ -10,6 +10,7 @@ TCL_SOURCE = tcl$(TCL_VERSION)-src.tar.gz
>  TCL_SITE = http://downloads.sourceforge.net/project/tcl/Tcl/$(TCL_VERSION)
>  TCL_LICENSE = TCL
>  TCL_LICENSE_FILES = license.terms
> +TCL_CPE_ID_VENDOR = $(TCL_NAME)
>  TCL_SUBDIR = unix
>  TCL_INSTALL_STAGING = YES
>  TCL_AUTORECONF = YES
> diff --git a/package/tcpdump/tcpdump.mk b/package/tcpdump/tcpdump.mk
> index 01a46b9b5f..9687e3c497 100644
> --- a/package/tcpdump/tcpdump.mk
> +++ b/package/tcpdump/tcpdump.mk
> @@ -8,6 +8,7 @@ TCPDUMP_VERSION = 4.9.3
>  TCPDUMP_SITE = http://www.tcpdump.org/release
>  TCPDUMP_LICENSE = BSD-3-Clause
>  TCPDUMP_LICENSE_FILES = LICENSE
> +TCPDUMP_CPE_ID_VENDOR = $(TCPDUMP_NAME)
>  TCPDUMP_CONF_ENV = \
>  	ac_cv_linux_vers=2 \
>  	td_cv_buggygetaddrinfo=no \
> diff --git a/package/tftpd/tftpd.mk b/package/tftpd/tftpd.mk
> index 57905fda05..301a222e39 100644
> --- a/package/tftpd/tftpd.mk
> +++ b/package/tftpd/tftpd.mk
> @@ -10,6 +10,8 @@ TFTPD_SITE = $(BR2_KERNEL_MIRROR)/software/network/tftp/tftp-hpa
>  TFTPD_CONF_OPTS = --without-tcpwrappers
>  TFTPD_LICENSE = BSD-4-Clause
>  TFTPD_LICENSE_FILES = tftpd/tftpd.c
> +TFTPD_CPE_ID_VENDOR = $(TFTPD_NAME)-hpa_project
> +TFTPD_CPE_ID_NAME = $(TFTPD_NAME)-hpa
>  
>  define TFTPD_INSTALL_TARGET_CMDS
>  	$(INSTALL) -D $(@D)/tftp/tftp $(TARGET_DIR)/usr/bin/tftp
> diff --git a/package/uboot-tools/uboot-tools.mk b/package/uboot-tools/uboot-tools.mk
> index 6aa7cba2dd..3a8e21ec9b 100644
> --- a/package/uboot-tools/uboot-tools.mk
> +++ b/package/uboot-tools/uboot-tools.mk
> @@ -9,6 +9,8 @@ UBOOT_TOOLS_SOURCE = u-boot-$(UBOOT_TOOLS_VERSION).tar.bz2
>  UBOOT_TOOLS_SITE = ftp://ftp.denx.de/pub/u-boot
>  UBOOT_TOOLS_LICENSE = GPL-2.0+
>  UBOOT_TOOLS_LICENSE_FILES = Licenses/gpl-2.0.txt
> +UBOOT_TOOLS_CPE_ID_VENDOR = denx
> +UBOOT_TOOLS_CPE_ID_NAME = u-boot
>  UBOOT_TOOLS_INSTALL_STAGING = YES
>  
>  # u-boot 2020.01+ needs make 4.0+
> diff --git a/package/util-linux/util-linux.mk b/package/util-linux/util-linux.mk
> index 0b29ef4d6f..46d7474b7f 100644
> --- a/package/util-linux/util-linux.mk
> +++ b/package/util-linux/util-linux.mk
> @@ -23,6 +23,7 @@ UTIL_LINUX_LICENSE_FILES = README.licensing \
>  	Documentation/licenses/COPYING.ISC \
>  	Documentation/licenses/COPYING.LGPL-2.1-or-later
>  
> +UTIL_LINUX_CPE_ID_VENDOR = kernel
>  UTIL_LINUX_INSTALL_STAGING = YES
>  UTIL_LINUX_DEPENDENCIES = \
>  	host-pkgconf \
> diff --git a/package/valgrind/valgrind.mk b/package/valgrind/valgrind.mk
> index 7fd3278614..7d0070a974 100644
> --- a/package/valgrind/valgrind.mk
> +++ b/package/valgrind/valgrind.mk
> @@ -9,6 +9,7 @@ VALGRIND_SITE = https://sourceware.org/pub/valgrind
>  VALGRIND_SOURCE = valgrind-$(VALGRIND_VERSION).tar.bz2
>  VALGRIND_LICENSE = GPL-2.0, GFDL-1.2
>  VALGRIND_LICENSE_FILES = COPYING COPYING.DOCS
> +VALGRIND_CPE_ID_VENDOR = $(VALGRIND_NAME)
>  VALGRIND_CONF_OPTS = \
>  	--disable-ubsan \
>  	--without-mpicc
> diff --git a/package/vim/vim.mk b/package/vim/vim.mk
> index 1fbb6a6b86..2bd3d437e4 100644
> --- a/package/vim/vim.mk
> +++ b/package/vim/vim.mk
> @@ -23,6 +23,7 @@ VIM_CONF_ENV = \
>  VIM_CONF_OPTS = --with-tlib=ncurses --enable-gui=no --without-x
>  VIM_LICENSE = Charityware
>  VIM_LICENSE_FILES = README.txt
> +VIM_CPE_ID_VENDOR = $(VIM_NAME)
>  
>  ifeq ($(BR2_PACKAGE_ACL),y)
>  VIM_CONF_OPTS += --enable-acl
> diff --git a/package/wget/wget.mk b/package/wget/wget.mk
> index ed3f1fdff9..65c132e453 100644
> --- a/package/wget/wget.mk
> +++ b/package/wget/wget.mk
> @@ -10,6 +10,7 @@ WGET_SITE = $(BR2_GNU_MIRROR)/wget
>  WGET_DEPENDENCIES = host-pkgconf
>  WGET_LICENSE = GPL-3.0+
>  WGET_LICENSE_FILES = COPYING
> +WGET_CPE_ID_VENDOR = gnu
>  
>  ifeq ($(BR2_PACKAGE_GNUTLS),y)
>  WGET_CONF_OPTS += --with-ssl=gnutls
> diff --git a/package/wireless-regdb/wireless-regdb.mk b/package/wireless-regdb/wireless-regdb.mk
> index 52a0e0cffc..aaab7fc28b 100644
> --- a/package/wireless-regdb/wireless-regdb.mk
> +++ b/package/wireless-regdb/wireless-regdb.mk
> @@ -9,6 +9,7 @@ WIRELESS_REGDB_SOURCE = wireless-regdb-$(WIRELESS_REGDB_VERSION).tar.xz
>  WIRELESS_REGDB_SITE = $(BR2_KERNEL_MIRROR)/software/network/wireless-regdb
>  WIRELESS_REGDB_LICENSE = ISC
>  WIRELESS_REGDB_LICENSE_FILES = LICENSE
> +WIRELESS_REGDB_CPE_ID_VENDOR = kernel
>  
>  ifeq ($(BR2_PACKAGE_CRDA),y)
>  define  WIRELESS_REGDB_INSTALL_CRDA_TARGET_CMDS
> diff --git a/package/wireless_tools/wireless_tools.mk b/package/wireless_tools/wireless_tools.mk
> index b87ab20fb2..01d03218d6 100644
> --- a/package/wireless_tools/wireless_tools.mk
> +++ b/package/wireless_tools/wireless_tools.mk
> @@ -10,6 +10,8 @@ WIRELESS_TOOLS_SITE = https://hewlettpackard.github.io/wireless-tools
>  WIRELESS_TOOLS_SOURCE = wireless_tools.$(WIRELESS_TOOLS_VERSION).tar.gz
>  WIRELESS_TOOLS_LICENSE = GPL-2.0
>  WIRELESS_TOOLS_LICENSE_FILES = COPYING
> +WIRELESS_TOOLS_CPE_ID_VERSION = $(WIRELESS_TOOLS_VERSION_MAJOR)
> +WIRELESS_TOOLS_CPE_ID_VERSION_MINOR = pre9
>  WIRELESS_TOOLS_INSTALL_STAGING = YES
>  
>  WIRELESS_TOOLS_BUILD_TARGETS = iwmulticall
> diff --git a/package/wpa_supplicant/wpa_supplicant.mk b/package/wpa_supplicant/wpa_supplicant.mk
> index 7170db0d07..955f7fb98f 100644
> --- a/package/wpa_supplicant/wpa_supplicant.mk
> +++ b/package/wpa_supplicant/wpa_supplicant.mk
> @@ -8,6 +8,7 @@ WPA_SUPPLICANT_VERSION = 2.9
>  WPA_SUPPLICANT_SITE = http://w1.fi/releases
>  WPA_SUPPLICANT_LICENSE = BSD-3-Clause
>  WPA_SUPPLICANT_LICENSE_FILES = README
> +WPA_SUPPLICANT_CPE_ID_VENDOR = w1.fi
>  WPA_SUPPLICANT_CONFIG = $(WPA_SUPPLICANT_DIR)/wpa_supplicant/.config
>  WPA_SUPPLICANT_SUBDIR = wpa_supplicant
>  WPA_SUPPLICANT_DBUS_OLD_SERVICE = fi.epitest.hostap.WPASupplicant
> diff --git a/package/xerces/xerces.mk b/package/xerces/xerces.mk
> index ae42b1e62f..5caf421132 100644
> --- a/package/xerces/xerces.mk
> +++ b/package/xerces/xerces.mk
> @@ -9,6 +9,8 @@ XERCES_SOURCE = xerces-c-$(XERCES_VERSION).tar.xz
>  XERCES_SITE = http://archive.apache.org/dist/xerces/c/3/sources
>  XERCES_LICENSE = Apache-2.0
>  XERCES_LICENSE_FILES = LICENSE
> +XERCES_CPE_ID_VENDOR = apache
> +XERCES_CPE_ID_NAME = $(XERCES_NAME)-c\+\+
>  XERCES_INSTALL_STAGING = YES
>  
>  define XERCES_DISABLE_SAMPLES
> diff --git a/package/xz/xz.mk b/package/xz/xz.mk
> index 487dac461b..ffbae4c873 100644
> --- a/package/xz/xz.mk
> +++ b/package/xz/xz.mk
> @@ -11,6 +11,7 @@ XZ_INSTALL_STAGING = YES
>  XZ_CONF_ENV = ac_cv_prog_cc_c99='-std=gnu99'
>  XZ_LICENSE = Public Domain, GPL-2.0+, GPL-3.0+, LGPL-2.1+
>  XZ_LICENSE_FILES = COPYING COPYING.GPLv2 COPYING.GPLv3 COPYING.LGPLv2.1
> +XZ_CPE_ID_VENDOR = tukaani
>  
>  ifeq ($(BR2_TOOLCHAIN_HAS_THREADS),y)
>  XZ_CONF_OPTS = --enable-threads
> -- 
> 2.26.2
> 
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

-- 
/"\ ASCII RIBBON | ?With the first link, the chain is forged. The first
\ / CAMPAIGN     | speech censured, the first thought forbidden, the
 X  AGAINST      | first freedom denied, chains us all irrevocably.?
/ \ HTML MAIL    | (Jean-Luc Picard, quoting Judge Aaron Satie)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20201104/e2b7bbb0/attachment-0001.asc>

[Buildroot] [PATCH 10/10] package: provide CPE ID details for numerous packages

[Thomas Petazzoni]

Hello Alexander,

Thanks for taking a look at this series!

On Wed, 4 Nov 2020 16:42:59 +0100
Alexander Dahl <post@lespocky.de> wrote:

> > +EBTABLES_CVE_ID_VENDOR = netfilter  
> 
> Same here? CVE or CPE?
> 
> On all the other packages it is CPE, so maybe those two are just
> typos?

You are absolutely correct, those are typos. I'll do another pass on
this patch. Perhaps I should split it up into smaller chunks to make it
more manageable to review.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com